Skip to content

Add formal checkout behavior specification for agent and safe_outputs jobs#44225

Merged
pelikhan merged 15 commits into
mainfrom
copilot/specify-checkout-behavior
Jul 8, 2026
Merged

Add formal checkout behavior specification for agent and safe_outputs jobs#44225
pelikhan merged 15 commits into
mainfrom
copilot/specify-checkout-behavior

Conversation

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Checkout behavior is currently distributed across compiler/runtime paths, which makes auth precedence and mode-specific semantics hard to reason about quickly. This PR introduces a single formal specification for checkout behavior across activation, agent, and safe_outputs jobs, including trial mode and side-repo cases.

  • Specification baseline (W3C/RFC2119)

    • Added docs/src/content/docs/specs/checkout-behavior-specification.md.
    • Defines normative checkout behavior and conformance classes for compiler/runtime paths.
  • Authentication and credential lifecycle

    • Specifies precedence for github-token and github-app at checkout entry level, activation token resolution, and safe_outputs PR checkout token resolution.
    • Codifies the credential boundary: agent job defaults to credential stripping; safe_outputs PR path retains/configures credentials for fetch/push handlers.
  • Checkout mechanics and safety constraints

    • Documents checkout: merge behavior for repeated (repository, path, wiki) targets.
    • Specifies fetch-depth, fetch, sparse checkout partial-clone repair, and submodule credential-cleanup behavior.
    • Specifies checkout-manifest path safety and manifest-first lookup semantics for multi-repo handler resolution.
    • Captures activation sparse-checkout symlink target handling and root-escape rejection requirements.
  • Trial mode and side-repo targeting

    • Specifies trial-mode repository/token override behavior for checkout and safe-output targeting.
    • Specifies side-repo target derivation from current: true checkouts and side-repo auth precedence.
  • Reference docs linkage

    • Linked the new spec from docs/src/content/docs/reference/checkout.md.
checkout:
  - repository: org/target-repo
    path: target
    github-app:
      client-id: ${{ vars.APP_ID }}
      private-key: ${{ secrets.APP_PRIVATE_KEY }}
    fetch-depth: 0
    fetch: ["main", "refs/pulls/open/*"]
    sparse-checkout: |
      .github
      pkg/workflow
    submodules: recursive
    force-clean-git-credentials: true

Generated by 👨‍🍳 PR Sous Chef · 9.91 AIC · ⌖ 10.6 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 6.93 AIC · ⌖ 5.06 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 6.55 AIC · ⌖ 5.29 AIC · ⊞ 7.1K ·
Comment /souschef to run again

Copilot AI and others added 3 commits July 8, 2026 06:16
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title Add formal checkout behavior specification for agent and safe outputs jobs Add formal checkout behavior specification for agent and safe_outputs jobs Jul 8, 2026
Copilot AI requested a review from pelikhan July 8, 2026 06:28
@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot merge main and recompile

Copilot AI and others added 2 commits July 8, 2026 06:53
…out-behavior

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot merge main and recompile

Done in 1a913a0: merged main and recompiled workflow lock files.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category docs
Risk 🟢 Low
Score 22/100 (impact:10 urgency:7 quality:5)
Action defer

Rationale: Draft PR adding a checkout behavior specification doc. Pure documentation, no code logic changes. Hold until ready for review (undraft).


Run §28924016278

Generated by 🔧 PR Triage Agent · 101 AIC · ⌖ 9.82 AIC · ⊞ 5.4K ·

@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot revert lock.yml files

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot revert lock.yml files

Done in a90e088: reverted the .lock.yml file changes.

@github-actions github-actions Bot mentioned this pull request Jul 8, 2026

@pelikhan pelikhan left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot checkout item must support a field to specify credentials to be used in safe-outputs

checkout:
...
safe-output-github-token: ...
safe-output-github-app: ...

- Symlink handling for activation sparse checkout
- Submodule credential cleanup behavior
- Trial mode and side-repo derivation behavior

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot also handle checkout manifest generation

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in f4562a1: added normative checkout-manifest generation requirements, including safe-outputs auth metadata handling and no persisted resolved tokens.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Section 3.4 (Checkout Manifest) was added in f4562a1 and is in the current spec — see lines 111–118 of checkout-behavior-specification.md. It covers the compiler requirement to emit a manifest step, manifest-path safety (absolute/out-of-workspace rejection), and the requirement to include safe_outputs auth metadata without persisting resolved token values.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, ensure the branch is up to date, and rerun checks.

Generated by 👨‍🍳 PR Sous Chef · 6.93 AIC · ⌖ 5.06 AIC · ⊞ 7.1K ·
Comment /souschef to run again

…out-behavior

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, ensure the branch is up to date, and rerun checks.

...

Branch updated: merged main (d4fdc968b5 — docs-only, no tooling drift). Local validation passes (make fmt, make lint, make test-unit all green). All open review threads have been addressed and replied to. CI needs a human re-trigger (close/reopen or workflow_dispatch) to run on the current HEAD.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, make any remaining updates needed to get this PR ready, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 6.55 AIC · ⌖ 5.29 AIC · ⊞ 7.1K ·
Comment /souschef to run again

Copilot AI and others added 2 commits July 8, 2026 17:04
#42926)

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, make any remaining updates needed to get this PR ready, and rerun checks once the branch is up to date.

...

Done. Here's what was addressed in this pass:

CI needs a human re-trigger (close/reopen or push) after this push to verify on the current HEAD.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

pr-sous-chef
@copilot please run the pr-finisher skill, address any unresolved review feedback, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 6.43 AIC · ⌖ 4.84 AIC · ⊞ 7.1K ·
Comment /souschef to run again

…out-behavior

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

pr-sous-chef
@copilot please run the pr-finisher skill, address any unresolved review feedback, and rerun checks once the branch is up to date.
...

Done in 795ae59: merged latest main (docs-only commit 2877be8). Local validation passes (make agent-report-progress green, no tooling drift). All review feedback was addressed in prior commits. CI needs a human re-trigger to run on the current HEAD.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category docs
Risk 🟢 low
Score 21/100 (impact:10 urgency:5 quality:6)
Action ⏸ defer

Status: Carry-over (run 4) · CI unstable.

Pure docs spec: formal checkout behavior specification for agent and safe_outputs jobs. Persists across 4 runs with CI unstable. ⚠️ Consider closing if CI issue is not resolved — spec value is low relative to carry-over cost.

Run §28966928999

Generated by 🔧 PR Triage Agent · 106.9 AIC · ⌖ 10.9 AIC · ⊞ 5.4K ·

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

pr-sous-chef
@copilot please run the pr-finisher skill, address any unresolved review feedback (including the safe-outputs checkout credential field request), and rerun checks once the branch is up to date.

Run: https://github.com/github/gh-aw/actions/runs/28969326363

Generated by 👨‍🍳 PR Sous Chef · 10.3 AIC · ⌖ 7.04 AIC · ⊞ 7.1K ·
Comment /souschef to run again

…out-behavior

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

pr-sous-chef
@copilot please run the pr-finisher skill, address any unresolved review feedback (including the safe-outputs checkout credential field request), and rerun checks once the branch is u...

Done in ac24527: merged latest main (docs-only commit c342483). Local validation passes (make agent-report-progress green, no tooling drift).

Summary of where things stand:

  • ✅ Reviews — All in-scope review feedback was addressed in prior commits. Three threads have replies but the GraphQL API is not accessible in this environment to mark them resolved — they will need a human to resolve:
    • §3.4 checkout manifest thread: addressed in f4562a1, replied twice confirming it is done.
    • app alias thread: addressed in c0968e3, replied confirming the fix.
    • safe-output-github-token ordering thread: moot since 045bf15 removed the token field; replied confirming it is now moot.
  • ✅ Checks (local) — make agent-report-progress green: 0 lint errors, all 259 workflow lock files in sync.
  • ❓ Checks (CI) — Stale after agent push; needs human re-trigger. Prior CI run (28969931366) was in progress at triage; no prior failures to address.
  • ✅ Mergeable — Branch is OPEN, not draft, up to date with main.

Hand-off: CI must be re-triggered by a maintainer (close/reopen PR, workflow_dispatch, or push) before merge. Three unresolved review threads need manual resolution since the GraphQL mutation endpoint is blocked in this environment.

@pelikhan pelikhan merged commit a7fb8aa into main Jul 8, 2026
@pelikhan pelikhan deleted the copilot/specify-checkout-behavior branch July 8, 2026 20:21
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants