From 1bc43140a3d5c9e919e985c85996a9c834cdc4ae Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 May 2026 22:28:41 +0000 Subject: [PATCH 1/3] Require detection success for update_cache_memory Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/smoke-pi.lock.yml | 3 +-- ...ache-memory-threat-detection-expression.md | 4 ++-- ...t-copilot-cache-memory-threat-detection.md | 2 +- pkg/workflow/cache.go | 6 +++--- .../cache_memory_threat_detection_test.go | 4 ++-- pkg/workflow/compiler_jobs_test.go | 16 +++++++------- pkg/workflow/expression_builder.go | 2 +- ...ction_job_combinations_integration_test.go | 21 +++++++++++-------- 8 files changed, 31 insertions(+), 27 deletions(-) diff --git a/.github/workflows/smoke-pi.lock.yml b/.github/workflows/smoke-pi.lock.yml index 14e2d260a4f..3b0481f9f1e 100644 --- a/.github/workflows/smoke-pi.lock.yml +++ b/.github/workflows/smoke-pi.lock.yml @@ -1570,7 +1570,7 @@ jobs: - agent - detection if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: @@ -1620,4 +1620,3 @@ jobs: with: key: memory-none-nopolicy-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory - diff --git a/pkg/cli/workflows/test-copilot-cache-memory-threat-detection-expression.md b/pkg/cli/workflows/test-copilot-cache-memory-threat-detection-expression.md index 4d8105e722f..b6b51f758fe 100644 --- a/pkg/cli/workflows/test-copilot-cache-memory-threat-detection-expression.md +++ b/pkg/cli/workflows/test-copilot-cache-memory-threat-detection-expression.md @@ -41,8 +41,8 @@ The compiled output must contain: - `detection` job with `if:` referencing `inputs.enable-threat-detection` - `actions/cache/restore` in the agent job (detection is present at compile time) - `update_cache_memory` job depending on `detection` -- `update_cache_memory` condition using `always()` and accepting detection `skipped` - so cache is saved even when detection is skipped at runtime +- `update_cache_memory` condition using `always()` and requiring detection `success` + so cache is only saved after detection actually runs and succeeds Steps: 1. Check existing files in `/tmp/gh-aw/cache-memory/` diff --git a/pkg/cli/workflows/test-copilot-cache-memory-threat-detection.md b/pkg/cli/workflows/test-copilot-cache-memory-threat-detection.md index ed6c35f7bc1..1703b763a22 100644 --- a/pkg/cli/workflows/test-copilot-cache-memory-threat-detection.md +++ b/pkg/cli/workflows/test-copilot-cache-memory-threat-detection.md @@ -34,7 +34,7 @@ This workflow demonstrates `cache-memory` combined with standard threat detectio When detection is enabled the compiled output must contain: - `actions/cache/restore` (instead of `actions/cache`) in the agent job - An `update_cache_memory` job that depends on `detection` -- `update_cache_memory` condition using `always()` and accepting detection `skipped` +- `update_cache_memory` condition using `always()` and requiring detection `success` Steps: 1. Check what files exist in `/tmp/gh-aw/cache-memory/` from previous runs diff --git a/pkg/workflow/cache.go b/pkg/workflow/cache.go index 7bedb18259a..172cff11957 100644 --- a/pkg/workflow/cache.go +++ b/pkg/workflow/cache.go @@ -966,14 +966,14 @@ func (c *Compiler) buildUpdateCacheMemoryJob(data *WorkflowData, threatDetection // Prepend setup steps to all cache steps steps = append(setupSteps, steps...) - // Job condition: run if detection job succeeded (no threats found) or was skipped (no outputs to detect), + // Job condition: run only if detection job succeeded (no threats found), // AND the agent job succeeded (do not persist cache when agent failed or was skipped). - // Using always() so the job runs even when detection is skipped (which sets result = 'skipped'). + // Using always() so this condition is evaluated even if an upstream job is skipped/failed. agentSucceeded := BuildEquals( BuildPropertyAccess(fmt.Sprintf("needs.%s.result", constants.AgentJobName)), BuildStringLiteral("success"), ) - jobCondition := RenderCondition(BuildAnd(BuildAnd(BuildFunctionCall("always"), buildDetectionPassedCondition()), agentSucceeded)) + jobCondition := RenderCondition(BuildAnd(BuildAnd(BuildFunctionCall("always"), buildDetectionSuccessCondition()), agentSucceeded)) // Set up permissions for the cache update job // If using local actions (dev mode without action-tag), we need contents: read to checkout the actions folder diff --git a/pkg/workflow/cache_memory_threat_detection_test.go b/pkg/workflow/cache_memory_threat_detection_test.go index d96dca108d4..71873b9f7f9 100644 --- a/pkg/workflow/cache_memory_threat_detection_test.go +++ b/pkg/workflow/cache_memory_threat_detection_test.go @@ -56,8 +56,8 @@ Test workflow with cache-memory and threat detection enabled.`, "update_cache_memory:", "- detection", "if: >", - "always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') &&", - "needs.agent.result != 'skipped'", + "always() && needs.detection.result == 'success' &&", + "needs.agent.result == 'success'", "- name: Download cache-memory artifact (default)", "- name: Save cache-memory to cache (default)", "uses: actions/cache/save@", diff --git a/pkg/workflow/compiler_jobs_test.go b/pkg/workflow/compiler_jobs_test.go index 7d24bf4c2c4..7ef9e4f1640 100644 --- a/pkg/workflow/compiler_jobs_test.go +++ b/pkg/workflow/compiler_jobs_test.go @@ -3363,9 +3363,8 @@ func TestPushRepoMemoryJobConditionalDetection(t *testing.T) { } } -// TestUpdateCacheMemoryJobConditionalDetection verifies that update_cache_memory already uses -// always() and buildDetectionPassedCondition() (accepting 'success' or 'skipped') when -// detection is expression-controlled, so the job still runs when detection is skipped at runtime. +// TestUpdateCacheMemoryJobConditionalDetection verifies that update_cache_memory keeps always() +// but requires detection success (not skipped) when detection is expression-controlled. func TestUpdateCacheMemoryJobConditionalDetection(t *testing.T) { compiler := NewCompiler() compiler.jobManager = NewJobManager() @@ -3402,13 +3401,16 @@ func TestUpdateCacheMemoryJobConditionalDetection(t *testing.T) { t.Fatal("expected non-nil update_cache_memory job") } - // Job condition must use always() so it runs even when detection is skipped at runtime + // Job condition must include always() so explicit condition checks are evaluated. if !strings.Contains(job.If, "always()") { t.Errorf("update_cache_memory if: %q should contain 'always()'", job.If) } - // Job condition must accept detection being skipped - if !strings.Contains(job.If, "'skipped'") { - t.Errorf("update_cache_memory if: %q should accept 'skipped' detection result", job.If) + // Job condition must require detection success and must not accept skipped. + if !strings.Contains(job.If, "needs.detection.result == 'success'") { + t.Errorf("update_cache_memory if: %q should require detection success", job.If) + } + if strings.Contains(job.If, "'skipped'") { + t.Errorf("update_cache_memory if: %q must not accept skipped detection result", job.If) } // Detection must be in Needs if !slices.Contains(job.Needs, string(constants.DetectionJobName)) { diff --git a/pkg/workflow/expression_builder.go b/pkg/workflow/expression_builder.go index 1007a8eab41..b8a8270881f 100644 --- a/pkg/workflow/expression_builder.go +++ b/pkg/workflow/expression_builder.go @@ -280,7 +280,7 @@ func buildDetectionSuccessCondition() ConditionNode { // buildDetectionPassedCondition builds the condition to check if the detection job either // succeeded (no threats found) or was skipped (agent produced no outputs or patch — nothing // to detect against). Use this for downstream jobs that must run in both cases, such as -// update_cache_memory and push_repo_memory. +// push_repo_memory and safe-jobs. func buildDetectionPassedCondition() ConditionNode { return BuildOr( buildDetectionSuccessCondition(), diff --git a/pkg/workflow/threat_detection_job_combinations_integration_test.go b/pkg/workflow/threat_detection_job_combinations_integration_test.go index f084bfd7a79..2f07f290bdb 100644 --- a/pkg/workflow/threat_detection_job_combinations_integration_test.go +++ b/pkg/workflow/threat_detection_job_combinations_integration_test.go @@ -192,7 +192,7 @@ Test workflow. }, }, { - name: "cache-memory + threat-detection: true → update_cache_memory depends on detection", + name: "cache-memory + threat-detection: true → update_cache_memory requires detection success", frontmatter: `--- on: workflow_dispatch permissions: read-all @@ -209,7 +209,7 @@ Test workflow. wantJobs: []string{"safe_outputs", "detection", "update_cache_memory"}, wantNotJobs: []string{"push_repo_memory"}, wantInJobIf: map[string][]string{ - "update_cache_memory": {"always()", "'skipped'"}, + "update_cache_memory": {"always()", "needs.detection.result == 'success'"}, }, }, { @@ -231,7 +231,7 @@ Test workflow. wantNotJobs: []string{"detection", "update_cache_memory", "push_repo_memory"}, }, { - name: "cache-memory + expression detection → update_cache_memory condition accepts skipped", + name: "cache-memory + expression detection → update_cache_memory requires detection success", frontmatter: `--- on: workflow_call: @@ -254,7 +254,7 @@ Test workflow. wantNotJobs: []string{"push_repo_memory"}, wantInJobIf: map[string][]string{ "detection": {"inputs.enable-threat-detection"}, - "update_cache_memory": {"always()", "'skipped'"}, + "update_cache_memory": {"always()", "needs.detection.result == 'success'"}, }, }, { @@ -312,7 +312,7 @@ Test workflow. wantInJobIf: map[string][]string{ "detection": {"inputs.enable-threat-detection"}, "push_repo_memory": {"always()", "'skipped'"}, - "update_cache_memory": {"always()", "'skipped'"}, + "update_cache_memory": {"always()", "needs.detection.result == 'success'"}, }, }, } @@ -533,8 +533,8 @@ Test workflow. // TestCacheMemoryWithThreatDetectionNeedsAndConditions tests update_cache_memory job // graph position across all three detection modes. -// The job exists only when detection is enabled; its condition uses always() + 'skipped' -// so it runs even when expression-controlled detection is skipped at runtime. +// The job exists only when detection is enabled; its condition uses always() +// and requires detection success. func TestCacheMemoryWithThreatDetectionNeedsAndConditions(t *testing.T) { cases := []struct { name string @@ -552,7 +552,7 @@ func TestCacheMemoryWithThreatDetectionNeedsAndConditions(t *testing.T) { wantCacheMemJob: true, wantDetectionDep: true, wantAlwaysInCond: true, - wantSkippedInCond: true, + wantSkippedInCond: false, }, { name: "boolean false", @@ -567,7 +567,7 @@ func TestCacheMemoryWithThreatDetectionNeedsAndConditions(t *testing.T) { wantCacheMemJob: true, wantDetectionDep: true, wantAlwaysInCond: true, - wantSkippedInCond: true, + wantSkippedInCond: false, }, } @@ -631,6 +631,9 @@ Test workflow. if tc.wantSkippedInCond { assert.Contains(t, cacheSection, "'skipped'", "update_cache_memory if: should accept skipped detection for threat-detection=%s", tc.threatDetection) + } else { + assert.NotContains(t, cacheSection, "'skipped'", + "update_cache_memory if: should not accept skipped detection for threat-detection=%s", tc.threatDetection) } }) } From 03bbf830bd69ee451dc3d61804a9b290012453f7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 May 2026 22:30:34 +0000 Subject: [PATCH 2/3] Recompile lock workflows for detection-success cache gating Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/ab-testing-advisor.lock.yml | 4 +--- .../workflows/agent-persona-explorer.lock.yml | 4 +--- .../workflows/api-consumption-report.lock.yml | 4 +--- .github/workflows/audit-workflows.lock.yml | 4 +--- .../workflows/chaos-pr-bundle-fuzzer.lock.yml | 4 +--- .github/workflows/ci-coach.lock.yml | 4 +--- .github/workflows/ci-doctor.lock.yml | 4 +--- .../claude-code-user-docs-review.lock.yml | 4 +--- .github/workflows/cli-version-checker.lock.yml | 4 +--- .github/workflows/cloclo.lock.yml | 4 +--- .github/workflows/code-scanning-fixer.lock.yml | 4 +--- .../workflows/constraint-solving-potd.lock.yml | 4 +--- .../workflows/copilot-agent-analysis.lock.yml | 4 +--- .github/workflows/copilot-opt.lock.yml | 4 +--- .../workflows/copilot-pr-merged-report.lock.yml | 4 +--- .../workflows/copilot-pr-nlp-analysis.lock.yml | 4 +--- .../copilot-pr-prompt-analysis.lock.yml | 4 +--- .../workflows/copilot-session-insights.lock.yml | 4 +--- .../daily-architecture-diagram.lock.yml | 4 +--- .../daily-aw-cross-repo-compile-check.lock.yml | 4 +--- .../daily-cache-strategy-analyzer.lock.yml | 16 +++++++--------- .../workflows/daily-caveman-optimizer.lock.yml | 4 +--- .github/workflows/daily-code-metrics.lock.yml | 4 +--- .../workflows/daily-compiler-quality.lock.yml | 4 +--- .github/workflows/daily-doc-healer.lock.yml | 4 +--- .github/workflows/daily-doc-updater.lock.yml | 4 +--- .../workflows/daily-experiment-report.lock.yml | 4 +--- .github/workflows/daily-fact.lock.yml | 16 +++++++--------- .github/workflows/daily-firewall-report.lock.yml | 4 +--- .github/workflows/daily-function-namer.lock.yml | 4 +--- .github/workflows/daily-hippo-learn.lock.yml | 4 +--- .github/workflows/daily-issues-report.lock.yml | 4 +--- .../daily-mcp-concurrency-analysis.lock.yml | 4 +--- .github/workflows/daily-news.lock.yml | 4 +--- .../workflows/daily-performance-summary.lock.yml | 4 +--- .../daily-rendering-scripts-verifier.lock.yml | 4 +--- .github/workflows/daily-repo-chronicle.lock.yml | 4 +--- .../daily-safe-output-optimizer.lock.yml | 4 +--- .../daily-security-observability.lock.yml | 4 +--- .../workflows/daily-security-red-team.lock.yml | 4 +--- .../workflows/daily-spdd-spec-planner.lock.yml | 4 +--- .../workflows/daily-subagent-optimizer.lock.yml | 4 +--- .github/workflows/dead-code-remover.lock.yml | 4 +--- .github/workflows/deep-report.lock.yml | 4 +--- .../developer-docs-consolidator.lock.yml | 4 +--- .github/workflows/firewall-escape.lock.yml | 4 +--- .../github-mcp-structural-analysis.lock.yml | 4 +--- .../workflows/github-mcp-tools-report.lock.yml | 4 +--- .github/workflows/glossary-maintainer.lock.yml | 4 +--- .github/workflows/go-fan.lock.yml | 4 +--- .github/workflows/go-logger.lock.yml | 4 +--- .github/workflows/gpclean.lock.yml | 4 +--- .github/workflows/instructions-janitor.lock.yml | 4 +--- .github/workflows/jsweep.lock.yml | 4 +--- .github/workflows/linter-miner.lock.yml | 4 +--- .github/workflows/lockfile-stats.lock.yml | 4 +--- .github/workflows/mcp-inspector.lock.yml | 4 +--- .github/workflows/org-health-report.lock.yml | 4 +--- .github/workflows/outcome-collector.lock.yml | 4 +--- .github/workflows/pdf-summary.lock.yml | 4 +--- .github/workflows/poem-bot.lock.yml | 4 +--- .../prompt-clustering-analysis.lock.yml | 4 +--- .github/workflows/python-data-charts.lock.yml | 4 +--- .github/workflows/refactoring-cadence.lock.yml | 4 +--- .github/workflows/repo-audit-analyzer.lock.yml | 4 +--- .../repository-quality-improver.lock.yml | 4 +--- .github/workflows/safe-output-health.lock.yml | 4 +--- .../schema-consistency-checker.lock.yml | 4 +--- .github/workflows/scout.lock.yml | 4 +--- .github/workflows/slide-deck-maintainer.lock.yml | 4 +--- .github/workflows/smoke-claude.lock.yml | 4 +--- .github/workflows/smoke-codex.lock.yml | 16 +++++++--------- .github/workflows/smoke-copilot-arm.lock.yml | 4 +--- .github/workflows/smoke-copilot.lock.yml | 4 +--- .github/workflows/smoke-gemini.lock.yml | 4 +--- .github/workflows/smoke-pi.lock.yml | 5 ++--- .../smoke-update-cross-repo-pr.lock.yml | 4 +--- .github/workflows/spec-enforcer.lock.yml | 4 +--- .github/workflows/spec-extractor.lock.yml | 4 +--- .github/workflows/stale-repo-identifier.lock.yml | 4 +--- .../workflows/static-analysis-report.lock.yml | 4 +--- .github/workflows/step-name-alignment.lock.yml | 4 +--- .github/workflows/super-linter.lock.yml | 4 +--- .github/workflows/technical-doc-writer.lock.yml | 4 +--- .../test-create-pr-error-handling.lock.yml | 4 +--- .github/workflows/unbloat-docs.lock.yml | 4 +--- .github/workflows/weekly-issue-summary.lock.yml | 4 +--- 87 files changed, 106 insertions(+), 279 deletions(-) diff --git a/.github/workflows/ab-testing-advisor.lock.yml b/.github/workflows/ab-testing-advisor.lock.yml index d245bbbea47..e5438226fd1 100644 --- a/.github/workflows/ab-testing-advisor.lock.yml +++ b/.github/workflows/ab-testing-advisor.lock.yml @@ -1563,9 +1563,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 1324ee61abf..1844dff3fd7 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -1673,9 +1673,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/api-consumption-report.lock.yml b/.github/workflows/api-consumption-report.lock.yml index 06961ad1280..95e1cec6b3e 100644 --- a/.github/workflows/api-consumption-report.lock.yml +++ b/.github/workflows/api-consumption-report.lock.yml @@ -1928,9 +1928,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 7cadd07a85a..3df6c730114 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1824,9 +1824,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml index 8c0ed2c151d..cc46e8d2ef9 100644 --- a/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml +++ b/.github/workflows/chaos-pr-bundle-fuzzer.lock.yml @@ -1548,9 +1548,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index b930cdd0f3e..2b2e4b2d7a1 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -1726,9 +1726,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 79d2f11984b..469a27343c9 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1809,9 +1809,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 71b92996d5e..4f350287c47 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -1538,9 +1538,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index bc4f7b4b303..cc1458ca160 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -1546,9 +1546,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 9228c813562..83d9d5453e9 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -2020,9 +2020,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index c43f544545e..daa907d2074 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1755,9 +1755,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 1116585ec6a..ed056070d98 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -1437,9 +1437,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 0e98abe9dfc..aa513908f51 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1693,9 +1693,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/copilot-opt.lock.yml b/.github/workflows/copilot-opt.lock.yml index 5c95a42bc43..49f77469a04 100644 --- a/.github/workflows/copilot-opt.lock.yml +++ b/.github/workflows/copilot-opt.lock.yml @@ -1523,9 +1523,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 37ae191b853..7a9c67dd41c 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -1397,9 +1397,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 770a5d34820..c60149e9a53 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1684,9 +1684,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 31d4d939ac4..16128a3d0b4 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -1624,9 +1624,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 4730020f22e..6448fcf489e 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1748,9 +1748,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index db77b872ad6..a05b6fd3972 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -1742,9 +1742,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml index 801fb403cde..94667b4a3d3 100644 --- a/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml +++ b/.github/workflows/daily-aw-cross-repo-compile-check.lock.yml @@ -1541,9 +1541,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-cache-strategy-analyzer.lock.yml b/.github/workflows/daily-cache-strategy-analyzer.lock.yml index d8674fe2101..d13f1e3500f 100644 --- a/.github/workflows/daily-cache-strategy-analyzer.lock.yml +++ b/.github/workflows/daily-cache-strategy-analyzer.lock.yml @@ -1474,18 +1474,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.16' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_b4bb9ee2eb484d4c_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_19e1193ed80817c5_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_b4bb9ee2eb484d4c_EOF + GH_AW_MCP_CONFIG_19e1193ed80817c5_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_6cfca379d1361375_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_0cc50b5f3342d4b6_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1496,11 +1496,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_6cfca379d1361375_EOF + GH_AW_MCP_CONFIG_0cc50b5f3342d4b6_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_5659f4c8abf67e9f_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_e92872d9d3c05e0f_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1510,7 +1510,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_5659f4c8abf67e9f_EOF + GH_AW_CODEX_SHELL_POLICY_e92872d9d3c05e0f_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } @@ -1706,9 +1706,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-caveman-optimizer.lock.yml b/.github/workflows/daily-caveman-optimizer.lock.yml index 37a201828f2..847c60064b4 100644 --- a/.github/workflows/daily-caveman-optimizer.lock.yml +++ b/.github/workflows/daily-caveman-optimizer.lock.yml @@ -1617,9 +1617,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 8cc0b3bdfde..29f9e64e0e7 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1853,9 +1853,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 5fc1f6fb756..677ca095f94 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -1693,9 +1693,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index e305728a463..21a2ddeae71 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -1727,9 +1727,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index d62b818ac8d..53490c9d94f 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1652,9 +1652,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-experiment-report.lock.yml b/.github/workflows/daily-experiment-report.lock.yml index 1b640e3b952..b9fc038eea2 100644 --- a/.github/workflows/daily-experiment-report.lock.yml +++ b/.github/workflows/daily-experiment-report.lock.yml @@ -1567,9 +1567,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index 65392df7c28..c253cb1e5a9 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -1530,18 +1530,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.16' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_228f659dbb2e954c_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_676c4d7d12bf123c_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_228f659dbb2e954c_EOF + GH_AW_MCP_CONFIG_676c4d7d12bf123c_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_f03097ec1b63ab7f_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_d43b6f16abdd74d9_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1552,11 +1552,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_f03097ec1b63ab7f_EOF + GH_AW_MCP_CONFIG_d43b6f16abdd74d9_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_70566ede93c142d4_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_7cea4a91b25e84d9_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1566,7 +1566,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_70566ede93c142d4_EOF + GH_AW_CODEX_SHELL_POLICY_7cea4a91b25e84d9_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } @@ -1841,9 +1841,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 5691138733b..865afdbc1a6 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1611,9 +1611,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index 575f5e0fe6b..6952807a34a 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -1635,9 +1635,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-hippo-learn.lock.yml b/.github/workflows/daily-hippo-learn.lock.yml index cc559699d14..62634d6c3ce 100644 --- a/.github/workflows/daily-hippo-learn.lock.yml +++ b/.github/workflows/daily-hippo-learn.lock.yml @@ -1595,9 +1595,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index e71ca5f942d..84f545c81c4 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1820,9 +1820,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index f9288702f33..d547c8368ce 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -1614,9 +1614,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 9edf434ec5f..b9e5215fd2b 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1915,9 +1915,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index abb66daff87..073ed592297 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -2007,9 +2007,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index 6dc5a78582e..12f1f33ce1a 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -1849,9 +1849,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 0352c910af4..35cab3707ba 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -1517,9 +1517,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index cce1205ac76..80a1a124f58 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1757,9 +1757,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml index a5b1c51c619..416b8d430bc 100644 --- a/.github/workflows/daily-security-observability.lock.yml +++ b/.github/workflows/daily-security-observability.lock.yml @@ -1642,9 +1642,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 3b30c86f5dc..3552b784acd 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -1703,9 +1703,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-spdd-spec-planner.lock.yml b/.github/workflows/daily-spdd-spec-planner.lock.yml index 508e0f09811..84878425933 100644 --- a/.github/workflows/daily-spdd-spec-planner.lock.yml +++ b/.github/workflows/daily-spdd-spec-planner.lock.yml @@ -1501,9 +1501,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/daily-subagent-optimizer.lock.yml b/.github/workflows/daily-subagent-optimizer.lock.yml index d800dd868ed..39260794ef7 100644 --- a/.github/workflows/daily-subagent-optimizer.lock.yml +++ b/.github/workflows/daily-subagent-optimizer.lock.yml @@ -1634,9 +1634,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 8aaad7609ce..a16dba1f4f3 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -1623,9 +1623,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 8466d8cdd14..a34b6f93a8f 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -2191,9 +2191,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 5dd69cd46cf..77403376715 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1884,9 +1884,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index b586693c82a..386aeb32b96 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -1709,9 +1709,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 4d978cc0c06..0a4a1f72e56 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1587,9 +1587,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index f038a8a8e05..3e2d4edd409 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1654,9 +1654,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 926cea7dcf6..f407b92599b 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1771,9 +1771,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 52ece95a02b..a72f4e63cc4 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -1642,9 +1642,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 41633a4352b..e2d2c6cc665 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1819,9 +1819,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index a5f310746bf..3b30c6d5adf 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -1476,9 +1476,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 7700b77fd33..3d792eab9f8 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -1641,9 +1641,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 94de40b549d..8155d8099e6 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -1561,9 +1561,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/linter-miner.lock.yml b/.github/workflows/linter-miner.lock.yml index 66abaa138cb..30170649823 100644 --- a/.github/workflows/linter-miner.lock.yml +++ b/.github/workflows/linter-miner.lock.yml @@ -1619,9 +1619,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 6be17ed1867..6d09410999f 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -1530,9 +1530,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 6457aeea9ea..d881a388ef8 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -2289,9 +2289,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index f0f432ded7d..bca1fa09dc0 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -1541,9 +1541,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/outcome-collector.lock.yml b/.github/workflows/outcome-collector.lock.yml index 1ec0174aa0d..2454c6e9cba 100644 --- a/.github/workflows/outcome-collector.lock.yml +++ b/.github/workflows/outcome-collector.lock.yml @@ -1484,9 +1484,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index be1f96186b4..08280be674b 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1665,9 +1665,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 0817f381261..d380d22457e 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1950,9 +1950,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 5320b9d7f7a..ecd65735bea 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1709,9 +1709,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index c76659f73fa..c65ede7a602 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1622,9 +1622,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/refactoring-cadence.lock.yml b/.github/workflows/refactoring-cadence.lock.yml index dca4902c2a0..230c4d06e94 100644 --- a/.github/workflows/refactoring-cadence.lock.yml +++ b/.github/workflows/refactoring-cadence.lock.yml @@ -1534,9 +1534,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 7bc3c811438..d1bd3294674 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -1473,9 +1473,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 0f0f8f92370..087fb337267 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -1473,9 +1473,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 7c252af6f7f..ff1118d2fdc 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1654,9 +1654,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 6186851b4e9..02147c6d3b6 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -1532,9 +1532,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 479cd78dee7..5b430ce536f 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1841,9 +1841,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 12a26f9368a..0f4ca6eafa9 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1698,9 +1698,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 6db24d09d96..c5024822ecc 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -3103,9 +3103,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 322c1861752..a9c17d4a286 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1760,18 +1760,18 @@ jobs: DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0') export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e CODEX_HOME -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.16' - cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_f7f06beb933d579f_EOF + cat > "${RUNNER_TEMP}/gh-aw/mcp-config/config.toml" << GH_AW_MCP_CONFIG_56b7fc8226cda58a_EOF [history] persistence = "none" [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_MCP_CONFIG_f7f06beb933d579f_EOF + GH_AW_MCP_CONFIG_56b7fc8226cda58a_EOF # Generate JSON config for MCP gateway GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_dd7a370ff8e6e8b9_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_7187fbae32344021_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { }, @@ -1782,11 +1782,11 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_dd7a370ff8e6e8b9_EOF + GH_AW_MCP_CONFIG_7187fbae32344021_EOF # Sync converter output to writable CODEX_HOME for Codex mkdir -p /tmp/gh-aw/mcp-config - cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_8602355a14cc0937_EOF + cat > "/tmp/gh-aw/mcp-config/config.toml" << GH_AW_CODEX_SHELL_POLICY_2dd42234c11b05a5_EOF model_provider = "openai-proxy" [model_providers.openai-proxy] name = "OpenAI AWF proxy" @@ -1796,7 +1796,7 @@ jobs: [shell_environment_policy] inherit = "core" include_only = ["CODEX_API_KEY", "HOME", "OPENAI_API_KEY", "PATH"] - GH_AW_CODEX_SHELL_POLICY_8602355a14cc0937_EOF + GH_AW_CODEX_SHELL_POLICY_2dd42234c11b05a5_EOF awk ' BEGIN { skip_openai_proxy = 0 } /^[[:space:]]*model_provider[[:space:]]*=/ { next } @@ -2198,9 +2198,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index d4b7b14310b..2aeee924d7b 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -2491,9 +2491,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 0f13da6db97..7a89f1cccc6 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -2716,9 +2716,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index cddd8732a3d..e673fff86f8 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1750,9 +1750,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/smoke-pi.lock.yml b/.github/workflows/smoke-pi.lock.yml index 3b0481f9f1e..5fd55600838 100644 --- a/.github/workflows/smoke-pi.lock.yml +++ b/.github/workflows/smoke-pi.lock.yml @@ -1569,9 +1569,7 @@ jobs: - activation - agent - detection - if: > - always() && needs.detection.result == 'success' && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read @@ -1620,3 +1618,4 @@ jobs: with: key: memory-none-nopolicy-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }} path: /tmp/gh-aw/cache-memory + diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index ab9f4ee74cf..c4ccc7c168d 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1721,9 +1721,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/spec-enforcer.lock.yml b/.github/workflows/spec-enforcer.lock.yml index 41b3fcfed9d..e42441370c2 100644 --- a/.github/workflows/spec-enforcer.lock.yml +++ b/.github/workflows/spec-enforcer.lock.yml @@ -1679,9 +1679,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/spec-extractor.lock.yml b/.github/workflows/spec-extractor.lock.yml index abfa6f9666b..9e4768a6345 100644 --- a/.github/workflows/spec-extractor.lock.yml +++ b/.github/workflows/spec-extractor.lock.yml @@ -1658,9 +1658,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 368d610fbe9..0e7a893d2ce 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1675,9 +1675,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index a82c870806d..196b65c48a4 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1678,9 +1678,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 8dc679ec130..d87a49e2d53 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -1555,9 +1555,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index c889cfe7b45..99b44fecd6d 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -1549,9 +1549,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 8dacd035163..7b2b9d37cb9 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1767,9 +1767,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index d25f3e17528..ec8cffb4399 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -1610,9 +1610,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 80d989bfa19..0e1713e7866 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1848,9 +1848,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index afbd0d87043..f0700aa2a70 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -1499,9 +1499,7 @@ jobs: - activation - agent - detection - if: > - always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && - needs.agent.result == 'success' + if: always() && needs.detection.result == 'success' && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: read From 4e9b8e80ef8b58cd9748ac9eb62352ff6b3762b6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 May 2026 22:34:31 +0000 Subject: [PATCH 3/3] Clarify detection-passed helper comment Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/expression_builder.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/workflow/expression_builder.go b/pkg/workflow/expression_builder.go index b8a8270881f..b2167fe42a8 100644 --- a/pkg/workflow/expression_builder.go +++ b/pkg/workflow/expression_builder.go @@ -279,8 +279,7 @@ func buildDetectionSuccessCondition() ConditionNode { // buildDetectionPassedCondition builds the condition to check if the detection job either // succeeded (no threats found) or was skipped (agent produced no outputs or patch — nothing -// to detect against). Use this for downstream jobs that must run in both cases, such as -// push_repo_memory and safe-jobs. +// to detect against). Use this for downstream jobs that must run in both cases. func buildDetectionPassedCondition() ConditionNode { return BuildOr( buildDetectionSuccessCondition(),