Skip to content

feat: propagate missing token failure to conclusion job#44777

Merged
pelikhan merged 1 commit into
mainfrom
copilot/propagate-missing-token-failure
Jul 10, 2026
Merged

feat: propagate missing token failure to conclusion job#44777
pelikhan merged 1 commit into
mainfrom
copilot/propagate-missing-token-failure

Conversation

Copilot AI commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

When COPILOT_GITHUB_TOKEN (or equivalent) is missing, validate_multi_secret.sh fails the activation job with secret_verification_result=failed, causing the agent job to be skipped. The conclusion job condition didn't include this case, so it never ran and no failure issue was surfaced to the user.

Changes

  • buildConclusionJobCondition: adds needs.activation.outputs.secret_verification_result == 'failed' alongside the existing lockdown_check_failed, oauth_token_check_failed, and stale_lock_file_failed guards — same pattern as the recent oauth token propagation
  • Test: TestSecretVerificationFailurePropagatedToConclusionCondition verifies the condition appears in compiled output
  • Lock files: all 256 recompiled; golden files updated

GH_AW_SECRET_VERIFICATION_RESULT was already forwarded to handle_agent_failure.cjs via buildAgentFailureCoreVars — only the job condition was missing.

When a required secret (e.g., COPILOT_GITHUB_TOKEN) is missing, the
activation job fails with secret_verification_result=failed and the
agent job is skipped. Without this change, the conclusion job would
never run and no failure issue would be created.

Add secret_verification_result == 'failed' to buildConclusionJobCondition
so the conclusion job runs in this case and creates an actionable failure issue.

Add TestSecretVerificationFailurePropagatedToConclusionCondition to verify
the condition is included in generated lock files.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title feat: propagate missing token failure to conclusion job condition feat: propagate missing token failure to conclusion job Jul 10, 2026
Copilot AI requested a review from pelikhan July 10, 2026 15:38
@pelikhan pelikhan marked this pull request as ready for review July 10, 2026 15:58
Copilot AI review requested due to automatic review settings July 10, 2026 15:58
@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR does not have the 'implementation' label and has ≤100 new lines of code in business logic directories (48 additions detected).

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request ensures the workflow conclusion job runs (and surfaces a failure issue) when activation fails due to missing required engine secrets (via secret_verification_result == 'failed'), instead of being skipped when the agent job is skipped.

Changes:

  • Extend buildConclusionJobCondition to treat needs.activation.outputs.secret_verification_result == 'failed' as an activation failure that should trigger the conclusion job.
  • Add a regression test to confirm the compiled lock output includes the new condition.
  • Recompile generated workflow lockfiles / update golden fixtures and add a patch changeset entry.
Show a summary per file
File Description
pkg/workflow/notify_comment_conclusion_helpers.go Include secret verification failure in the conclusion job if: condition guardrails.
pkg/workflow/secret_verification_output_test.go Add test coverage asserting the condition is present in compiled output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden Update golden fixture (activation outputs now include oauth_token_check_failed).
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden Update golden fixture (activation outputs now include oauth_token_check_failed).
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden Update golden fixture (activation outputs now include oauth_token_check_failed).
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden Update golden fixture (activation outputs now include oauth_token_check_failed).
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden Update golden fixture (activation outputs now include oauth_token_check_failed).
.changeset/patch-propagate-missing-token-failure.md Patch release note for propagating missing-token failures to conclusion handling.
.github/workflows/schema-feature-coverage.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/pr-code-quality-reviewer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/cli-consistency-checker.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-team-evolution-insights.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-issues-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/pr-sous-chef.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/sub-issue-closer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/bot-detection.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-news.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-reliability-review.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-yamllint-fixer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-agent-scoped-approved.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/codex-github-remote-mcp-test.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/workflow-generator.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-update-cross-repo-pr.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/portfolio-analyst.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-copilot.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/refactoring-cadence.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-secrets-analysis.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/github-mcp-tools-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-service-ports.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/security-compliance.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/layout-spec-maintainer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-gemini.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-agent-all-none.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/github-remote-mcp-auth-test.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/dependabot-go-checker.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/example-workflow-analyzer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-formal-spec-verifier.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/github-mcp-structural-analysis.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-caveman-optimizer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/blog-auditor.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-cli-performance.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/craft.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/deployment-incident-monitor.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-malicious-code-scan.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-workflow-updater.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/issue-arborist.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-claude.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-community-attribution.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/plan.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-copilot-sub-agents.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-copilot-aoai-apikey.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/audit-workflows.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/copilot-centralization-optimizer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/claude-code-user-docs-review.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-agentrx-trace-optimizer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-project.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-assign-issue-to-user.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/detection-analysis-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-temporary-id.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/notion-issue-summary.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-safe-outputs-conformance.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-testify-uber-super-expert.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/jsweep.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/semantic-function-refactor.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/architecture-guardian.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-copilot-small.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/metrics-collector.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-repo-chronicle.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/video-analyzer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-antigravity.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-multi-device-docs-tester.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/hippo-embed.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/copilot-pr-nlp-analysis.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/issue-monster.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/avenger.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/org-health-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-semgrep-scan.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/refiner.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/developer-docs-consolidator.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-performance-summary.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/workflow-skill-extractor.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-claude-on-copilot.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/stale-pr-cleanup.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/weekly-issue-summary.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-ci.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/firewall-escape.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-pi.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/agent-persona-explorer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/dependabot-repair.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/ai-moderator.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-function-namer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-aw-cross-repo-compile-check.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-safe-output-optimizer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/mattpocock-skills-reviewer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/approach-validator.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/copilot-pr-merged-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-safeoutputs-git-simulator.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/super-linter.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/chaos-pr-bundle-fuzzer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/repository-quality-improver.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/constraint-solving-potd.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-copilot-sdk.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/copilot-opt.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/ci-coach.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-regulatory.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-credit-limit-test.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-token-consumption-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-call-workflow.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/functional-pragmatist.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/pr-description-caveman.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/duplicate-code-detector.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-multi-pr.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-opencode.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/workflow-normalizer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-create-cross-repo-pr.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-architecture-diagram.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/workflow-health-manager.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-cache-strategy-analyzer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-code-metrics.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-team-status.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/ubuntu-image-analyzer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/delight.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/sergo.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/repo-tree-map.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/code-scanning-fixer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/dictation-prompt.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/outcome-collector.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-spdd-spec-planner.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/terminal-stylist.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/dead-code-remover.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/agentic-token-optimizer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/copilot-cli-deep-research.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-observability-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-skill-optimizer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-agent-all-merged.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/ab-testing-advisor.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/breaking-change-checker.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-doc-updater.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/grumpy-reviewer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/artifacts-summary.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/copilot-agent-analysis.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-otel-backends.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/example-failure-category-filter.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/docs-noob-tester.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-hippo-learn.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/copilot-pr-prompt-analysis.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/impeccable-skills-reviewer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/cloclo.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/unbloat-docs.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/weekly-blog-post-writer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/necromancer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/step-name-alignment.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-security-observability.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/dependabot-burner.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/instructions-janitor.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/objective-impact-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/technical-doc-writer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-crush.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/test-quality-sentinel.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/slide-deck-maintainer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/lint-monster.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-cli-tools-tester.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/discussion-task-miner.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/pr-nitpick-reviewer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/scout.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-test-tools.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-rendering-scripts-verifier.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/aw-failure-investigator.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/skillet.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/weekly-editors-health-check.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/cli-version-checker.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/eslint-monster.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/commit-changes-analyzer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/update-astro.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-windows-terminal-integration-builder.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/spec-enforcer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/safe-output-health.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/copilot-session-insights.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-elixir-credo-snippet-audit.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-security-red-team.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/design-decision-gate.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-model-inventory.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/brave.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-compiler-quality.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/poem-bot.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/api-consumption-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-choice-test.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-workflow-call-with-inputs.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/pr-triage-agent.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/uk-ai-operational-resilience.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/stale-repo-identifier.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/linter-miner.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-doc-healer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-copilot-aoai-entra.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/designer-drift-audit.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-ambient-context-optimizer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/pdf-summary.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/code-simplifier.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/release.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/prompt-clustering-analysis.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-safe-output-integrator.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/repo-audit-analyzer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/go-fan.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/glossary-maintainer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/ace-editor.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/static-analysis-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-firewall-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-copilot-arm.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/ruflo-backed-task.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-agent-public-approved.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/security-review.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/mergefest.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/archie.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-experiment-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/research.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-agent-public-none.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/q.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/changeset.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-mcp-concurrency-analysis.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/mcp-inspector.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/go-pattern-detector.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-sentrux-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/auto-triage-issues.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/dev.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/draft-pr-cleanup.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/visual-regression-checker.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/deep-report.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/agentic-token-audit.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/schema-consistency-checker.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-byok-ollama-test.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/typist.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/eslint-miner.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-geo-optimizer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-syntax-error-quality.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/python-data-charts.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/gpclean.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/firewall.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/lockfile-stats.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-fact.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-awf-spec-compiler-surfacing.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/tidy.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/spec-extractor.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/issue-triage-agent.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/spec-librarian.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/agent-performance-analyzer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/go-logger.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/agentic-token-trend-audit.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-workflow-call.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/example-permissions-warning.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/dataflow-pr-discussion-dataset.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/dev-hawk.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-model-resolution.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-max-ai-credits-test.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/contribution-check.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-compiler-threat-spec-optimizer.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/copilot-centralization-drilldown.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/smoke-codex.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/ci-doctor.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/eslint-refiner.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/hourly-ci-cleaner.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).
.github/workflows/daily-file-diet.lock.yml Recompiled lockfile (conclusion if: includes secret verification failure).

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 264/264 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines 470 to 472
lockdownCheckFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.lockdown_check_failed", constants.ActivationJobName)), BuildStringLiteral("true"))
oauthTokenCheckFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.oauth_token_check_failed", constants.ActivationJobName)), BuildStringLiteral("true"))
staleLockFileFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.stale_lock_file_failed", constants.ActivationJobName)), BuildStringLiteral("true"))
"gh-aw": patch
---

Propagate missing token failure to the conclusion job failure issue. When a required secret (e.g., `COPILOT_GITHUB_TOKEN`) is missing, the activation job now fails with `secret_verification_result=failed`, causing the conclusion job to run and create an actionable failure issue.
@github-actions

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

⚠️ Test Quality Score: 60/100 — Acceptable

Analyzed 1 test: 1 design, 0 implementation, 0 violation(s).

📊 Metrics (1 test)
Metric Value
Analyzed 1 (Go: 1, JS: 0)
✅ Design 1 (100%)
⚠️ Implementation 0 (0%)
Edge/error coverage 0 (0%)
Duplicate clusters 0
Inflation YES (13:1 ratio)
🚨 Violations 0
Test File Classification Issues
TestSecretVerificationFailurePropagatedToConclusionCondition pkg/workflow/secret_verification_output_test.go:59-95 Design/behavioral contract High test inflation (41:3 added test:prod lines); happy-path only
⚠️ Flagged Tests (1)

TestSecretVerificationFailurePropagatedToConclusionCondition (line 59) — Behavioral contract test for propagating missing token failures to the conclusion job condition. High value for ensuring error handling when OAuth tokens are missing — a regression would silently skip the conclusion job and prevent error reporting.

Test inflation: The test adds 41 lines to verify 3 lines of production code in notify_comment_conclusion_helpers.go (the OR condition that includes secretVerificationFailed). While integration tests that compile full workflows are naturally heavier, this ratio suggests the test could be streamlined or expanded with negative test cases (e.g., verify behavior when verification fails mid-execution, or when safe-outputs is misconfigured).

Coverage gap: Only happy-path tested (workflow compiles, assertion passes). Consider adding:

  • Error case: workflow with missing safe-outputs config
  • Edge case: malformed YAML or missing required fields
  • Negative case: ensure condition is NOT added when engine doesn't support safe-outputs

Verdict

Passed. 0% implementation tests (threshold: 30%). No coding violations. Build tag //go:build !integration present. No forbidden mocks. Design-focused test validating workflow compilation behavior. Quality score of 60/100 is acceptable for integration testing, though expanding error-path coverage would strengthen confidence.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 14.8 AIC · ⌖ 9.46 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 60/100. 0% implementation tests (threshold: 30%). No violations. Design-focused test with proper build tags — acceptable for integration testing.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: feat: propagate missing token failure to conclusion job

The change is correct and follows the established pattern for propagating activation-job guardrail failures to the conclusion job condition.

What was missing: When COPILOT_GITHUB_TOKEN is absent, validate_multi_secret.sh sets secret_verification_result=failed, causing the activation job to skip the agent. But the conclusion job condition did not include this path, so users got no failure issue surfaced.

The fix: secretVerificationFailed is now unconditionally included in buildConclusionJobCondition, parallel to lockdownCheckFailed, oauthTokenCheckFailed, and staleLockFileFailed. Lock files are consistently regenerated across all 256 workflows.

Minor observation (non-blocking): secret_verification_result is conditionally emitted by the activation job (only when EngineHasValidateSecretStep() is true). The new guard is added unconditionally, unlike daily_ai_credits_exceeded which is wrapped in hasMaxDailyAICGuardrail. This is safe (absent output evaluates false), but it is a subtle asymmetry worth noting for future consistency.

Test coverage: TestSecretVerificationFailurePropagatedToConclusionCondition directly verifies the new condition string.

LGTM

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 41.2 AIC · ⌖ 4.37 AIC · ⊞ 4.8K

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /diagnosing-bugs and /tdd — this is a clean, well-targeted fix. One minor suggestion on test precision (see inline comment).

📋 Key Themes & Highlights

Key Themes

  • Correct root-cause fix: the missing OR arm in buildConclusionJobCondition is precisely the right place to hook this; the forwarding of GH_AW_SECRET_VERIFICATION_RESULT through buildAgentFailureCoreVars was already in place
  • Pattern consistency: follows the exact same shape as oauth_token_check_failed and lockdown_check_failed propagation
  • Test covers the generated output: TestSecretVerificationFailurePropagatedToConclusionCondition compiles a real workflow and asserts the lock file contains the expected condition — solid regression guard

One Observation

  • The string-containment assertion in the new test works, but could be tightened to assert specifically on the conclusion job's if: field (see inline comment)

Positive Highlights

  • ✅ Minimal, surgical diff — only the buildConclusionJobCondition OR chain and its test change
  • ✅ Lock files regenerated consistently
  • ✅ Changeset entry is accurate and descriptive
  • ✅ Unrelated mix new --force removal is a clean separate improvement

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 48.2 AIC · ⌖ 4.55 AIC · ⊞ 6.6K
Comment /matt to run again

// Check that the conclusion job condition includes secret_verification_result == 'failed'
// so the conclusion job runs when the token is missing (causing activation to fail and agent to be skipped).
if !strings.Contains(lockStr, "needs.activation.outputs.secret_verification_result == 'failed'") {
t.Error("Expected conclusion job condition to include secret_verification_result == 'failed' so it runs when the token is missing")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/tdd] The assertion checks string containment anywhere in the lock file — it could in theory match the condition outside the conclusion job's if: clause. Consider tightening the assertion to verify the condition appears within the conclusion job's block specifically (e.g., with a regex or by parsing the YAML).

💡 Suggested approach

Parse the lock file as YAML and assert directly on the conclusion job's if field:

var lockYAML map[string]interface{}
if err := yaml.Unmarshal(lockContent, &lockYAML); err != nil {
    t.Fatalf("Failed to parse lock file: %v", err)
}
jobs := lockYAML["jobs"].(map[string]interface{})
conclusionJob := jobs["conclusion"].(map[string]interface{})
condition := conclusionJob["if"].(string)
if !strings.Contains(condition, "needs.activation.outputs.secret_verification_result == 'failed'") {
    t.Error("Expected conclusion job 'if' to include secret_verification_result == 'failed'")
}

This is low-risk given how specific the searched string is, but the tighter assertion would make the test intent explicit and prevent false passes if the string ever appears elsewhere.

@copilot please address this.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

REQUEST_CHANGES — one high correctness issue

The core fix is correct and the pattern is right. However there is a parity bug between how the env var () is injected and how the condition is emitted.

Blocking issue: buildConclusionJobCondition always appends the secret_verification_result == 'failed' guard regardless of engine, but the activation job only declares that output when EngineHasValidateSecretStep returns true. Engines backed by BaseEngine (and any engine returning an empty validation step) will compile lock files with a dangling condition clause that is always-false. The env-var injection at line 210–212 is correctly gated — the condition needs the same gate.

A negative test to cover this is also missing.

Details
  • High (): condition unconditionally emitted for all engines even when the output is never set.
  • Medium (): no negative test asserts the condition is absent for non-validating engines.

🔎 Code quality review by PR Code Quality Reviewer · 85.6 AIC · ⌖ 4.63 AIC · ⊞ 5.4K
Comment /review to run again

oauthTokenCheckFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.oauth_token_check_failed", constants.ActivationJobName)), BuildStringLiteral("true"))
staleLockFileFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.stale_lock_file_failed", constants.ActivationJobName)), BuildStringLiteral("true"))
activationGuardrailsFailed := BuildOr(lockdownCheckFailed, BuildOr(oauthTokenCheckFailed, staleLockFileFailed))
secretVerificationFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.secret_verification_result", constants.ActivationJobName)), BuildStringLiteral("failed"))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Condition emitted unconditionally for engines that never set secret_verification_result: every workflow compiled for engines using BaseEngine (or any engine whose GetSecretValidationStep returns an empty step) will carry a dangling condition clause — GitHub Actions evaluates the missing output as empty string so == 'failed' is always false, making it dead YAML in those workflows.

The env-var injection at line 210–212 is correctly gated behind EngineHasValidateSecretStep(engine, data). The condition should apply the same guard.

💡 Suggested fix

Add a gated block mirroring the hasMaxDailyAICGuardrail pattern already at line 475:

if EngineHasValidateSecretStep(engine, data) {
    secretVerificationFailed := BuildEquals(
        BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.secret_verification_result", constants.ActivationJobName)),
        BuildStringLiteral("failed"),
    )
    activationGuardrailsFailed = BuildOr(activationGuardrailsFailed, secretVerificationFailed)
}

This requires passing engine into buildConclusionJobCondition, the same way buildAgentFailureCoreVars already receives it.


// Check that the conclusion job condition includes secret_verification_result == 'failed'
// so the conclusion job runs when the token is missing (causing activation to fail and agent to be skipped).
if !strings.Contains(lockStr, "needs.activation.outputs.secret_verification_result == 'failed'") {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No negative test: the condition should be absent for engines that skip secret validation. The new test only asserts the condition IS present, but there is no test asserting it is absent for e.g. BaseEngine-based engines or the WASM engine. As written, the condition is unconditionally emitted for all engines (see companion comment on notify_comment_conclusion_helpers.go:473), so a negative test would fail today — but adding it would immediately expose the correctness gap and lock in the intended behavior after it is fixed.

💡 Suggested fix

Add a sibling test that compiles a workflow with an engine that has no secret validation step and asserts the condition is not present:

func TestSecretVerificationConditionAbsentForUnsupportedEngine(t *testing.T) {
    // e.g. compile with engine: gemini or a base engine variant
    // assert: !strings.Contains(lockStr, "needs.activation.outputs.secret_verification_result")
}

This locks in the parity with the EngineHasValidateSecretStep gate used in buildAgentFailureCoreVars.

@pelikhan pelikhan merged commit c6b6e7d into main Jul 10, 2026
103 checks passed
@pelikhan pelikhan deleted the copilot/propagate-missing-token-failure branch July 10, 2026 16:25
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants