feat: propagate missing token failure to conclusion job#44777
Conversation
When a required secret (e.g., COPILOT_GITHUB_TOKEN) is missing, the activation job fails with secret_verification_result=failed and the agent job is skipped. Without this change, the conclusion job would never run and no failure issue would be created. Add secret_verification_result == 'failed' to buildConclusionJobCondition so the conclusion job runs in this case and creates an actionable failure issue. Add TestSecretVerificationFailurePropagatedToConclusionCondition to verify the condition is included in generated lock files. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR does not have the 'implementation' label and has ≤100 new lines of code in business logic directories (48 additions detected). |
|
✅ Test Quality Sentinel completed test quality analysis. |
There was a problem hiding this comment.
Pull request overview
This pull request ensures the workflow conclusion job runs (and surfaces a failure issue) when activation fails due to missing required engine secrets (via secret_verification_result == 'failed'), instead of being skipped when the agent job is skipped.
Changes:
- Extend
buildConclusionJobConditionto treatneeds.activation.outputs.secret_verification_result == 'failed'as an activation failure that should trigger the conclusion job. - Add a regression test to confirm the compiled lock output includes the new condition.
- Recompile generated workflow lockfiles / update golden fixtures and add a patch changeset entry.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/notify_comment_conclusion_helpers.go | Include secret verification failure in the conclusion job if: condition guardrails. |
| pkg/workflow/secret_verification_output_test.go | Add test coverage asserting the condition is present in compiled output. |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden | Update golden fixture (activation outputs now include oauth_token_check_failed). |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden | Update golden fixture (activation outputs now include oauth_token_check_failed). |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden | Update golden fixture (activation outputs now include oauth_token_check_failed). |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden | Update golden fixture (activation outputs now include oauth_token_check_failed). |
| pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden | Update golden fixture (activation outputs now include oauth_token_check_failed). |
| .changeset/patch-propagate-missing-token-failure.md | Patch release note for propagating missing-token failures to conclusion handling. |
| .github/workflows/schema-feature-coverage.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/pr-code-quality-reviewer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/cli-consistency-checker.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-team-evolution-insights.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-issues-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/pr-sous-chef.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/sub-issue-closer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/bot-detection.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-news.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-reliability-review.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-yamllint-fixer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-agent-scoped-approved.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/workflow-generator.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-update-cross-repo-pr.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/portfolio-analyst.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-copilot.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/refactoring-cadence.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-secrets-analysis.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/github-mcp-tools-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-service-ports.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/security-compliance.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/layout-spec-maintainer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-gemini.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-agent-all-none.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/dependabot-go-checker.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/example-workflow-analyzer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-formal-spec-verifier.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/github-mcp-structural-analysis.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-caveman-optimizer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/blog-auditor.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-cli-performance.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/craft.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/deployment-incident-monitor.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-malicious-code-scan.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-workflow-updater.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/issue-arborist.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-claude.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-community-attribution.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/plan.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-copilot-sub-agents.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-copilot-aoai-apikey.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/audit-workflows.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/copilot-centralization-optimizer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/claude-code-user-docs-review.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-agentrx-trace-optimizer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-project.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-assign-issue-to-user.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/detection-analysis-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-temporary-id.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/notion-issue-summary.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-agent-of-the-day-blog-writer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-safe-outputs-conformance.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-testify-uber-super-expert.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/jsweep.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/semantic-function-refactor.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/architecture-guardian.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-copilot-small.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/metrics-collector.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-repo-chronicle.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/video-analyzer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-antigravity.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-multi-device-docs-tester.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/hippo-embed.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/copilot-pr-nlp-analysis.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/issue-monster.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/avenger.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/org-health-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-semgrep-scan.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/refiner.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/developer-docs-consolidator.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-performance-summary.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/workflow-skill-extractor.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-claude-on-copilot.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/stale-pr-cleanup.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/weekly-issue-summary.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-ci.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/firewall-escape.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-pi.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/agent-persona-explorer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/dependabot-repair.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/ai-moderator.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-function-namer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-aw-cross-repo-compile-check.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-safe-output-optimizer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/mattpocock-skills-reviewer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/approach-validator.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/copilot-pr-merged-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-safeoutputs-git-simulator.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/super-linter.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/chaos-pr-bundle-fuzzer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/repository-quality-improver.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/constraint-solving-potd.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-copilot-sdk.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/copilot-opt.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/ci-coach.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-regulatory.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-credit-limit-test.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-token-consumption-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-call-workflow.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/functional-pragmatist.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/pr-description-caveman.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/duplicate-code-detector.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-multi-pr.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-opencode.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/workflow-normalizer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-create-cross-repo-pr.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-architecture-diagram.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/workflow-health-manager.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-cache-strategy-analyzer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-code-metrics.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-team-status.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/ubuntu-image-analyzer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/delight.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/sergo.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/repo-tree-map.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/code-scanning-fixer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/dictation-prompt.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/outcome-collector.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-spdd-spec-planner.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/terminal-stylist.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/dead-code-remover.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/agentic-token-optimizer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/copilot-cli-deep-research.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-observability-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-skill-optimizer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-agent-all-merged.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/ab-testing-advisor.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/breaking-change-checker.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-doc-updater.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/grumpy-reviewer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/artifacts-summary.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/copilot-agent-analysis.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-otel-backends.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/example-failure-category-filter.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/docs-noob-tester.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-hippo-learn.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/copilot-pr-prompt-analysis.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/impeccable-skills-reviewer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/cloclo.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/unbloat-docs.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/weekly-blog-post-writer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/necromancer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/step-name-alignment.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-security-observability.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/dependabot-burner.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/instructions-janitor.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/objective-impact-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/technical-doc-writer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-crush.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/test-quality-sentinel.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/slide-deck-maintainer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/lint-monster.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-cli-tools-tester.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/discussion-task-miner.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/pr-nitpick-reviewer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/scout.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-test-tools.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-rendering-scripts-verifier.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/aw-failure-investigator.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/skillet.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/weekly-editors-health-check.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/cli-version-checker.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/eslint-monster.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/commit-changes-analyzer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/update-astro.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-windows-terminal-integration-builder.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/spec-enforcer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/safe-output-health.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/copilot-session-insights.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-elixir-credo-snippet-audit.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-security-red-team.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/design-decision-gate.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-model-inventory.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/brave.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-compiler-quality.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/poem-bot.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/api-consumption-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-choice-test.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-workflow-call-with-inputs.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/pr-triage-agent.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/uk-ai-operational-resilience.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/stale-repo-identifier.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/linter-miner.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-doc-healer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-copilot-aoai-entra.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/designer-drift-audit.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-ambient-context-optimizer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/pdf-summary.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/code-simplifier.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/release.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/prompt-clustering-analysis.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-safe-output-integrator.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/repo-audit-analyzer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/go-fan.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/glossary-maintainer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/ace-editor.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/static-analysis-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-firewall-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-copilot-arm.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/ruflo-backed-task.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-agent-public-approved.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/security-review.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/mergefest.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/archie.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-experiment-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/research.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-agent-public-none.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/q.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/changeset.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-mcp-concurrency-analysis.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/mcp-inspector.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/go-pattern-detector.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-sentrux-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/auto-triage-issues.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/dev.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/draft-pr-cleanup.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/visual-regression-checker.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/deep-report.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/agentic-token-audit.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/schema-consistency-checker.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-byok-ollama-test.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/typist.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/eslint-miner.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-geo-optimizer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-syntax-error-quality.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/python-data-charts.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/gpclean.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/weekly-safe-outputs-spec-review.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/firewall.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/lockfile-stats.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-fact.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-awf-spec-compiler-surfacing.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/tidy.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/spec-extractor.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/issue-triage-agent.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/spec-librarian.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/agent-performance-analyzer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/go-logger.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/agentic-token-trend-audit.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-workflow-call.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/example-permissions-warning.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/dataflow-pr-discussion-dataset.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/dev-hawk.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-model-resolution.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-max-ai-credits-test.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/contribution-check.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-compiler-threat-spec-optimizer.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/copilot-centralization-drilldown.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/smoke-codex.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/ci-doctor.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/eslint-refiner.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/hourly-ci-cleaner.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
| .github/workflows/daily-file-diet.lock.yml | Recompiled lockfile (conclusion if: includes secret verification failure). |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 264/264 changed files
- Comments generated: 2
- Review effort level: Low
| lockdownCheckFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.lockdown_check_failed", constants.ActivationJobName)), BuildStringLiteral("true")) | ||
| oauthTokenCheckFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.oauth_token_check_failed", constants.ActivationJobName)), BuildStringLiteral("true")) | ||
| staleLockFileFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.stale_lock_file_failed", constants.ActivationJobName)), BuildStringLiteral("true")) |
| "gh-aw": patch | ||
| --- | ||
|
|
||
| Propagate missing token failure to the conclusion job failure issue. When a required secret (e.g., `COPILOT_GITHUB_TOKEN`) is missing, the activation job now fails with `secret_verification_result=failed`, causing the conclusion job to run and create an actionable failure issue. |
🧪 Test Quality Sentinel Report
📊 Metrics (1 test)
|
There was a problem hiding this comment.
Review: feat: propagate missing token failure to conclusion job
The change is correct and follows the established pattern for propagating activation-job guardrail failures to the conclusion job condition.
What was missing: When COPILOT_GITHUB_TOKEN is absent, validate_multi_secret.sh sets secret_verification_result=failed, causing the activation job to skip the agent. But the conclusion job condition did not include this path, so users got no failure issue surfaced.
The fix: secretVerificationFailed is now unconditionally included in buildConclusionJobCondition, parallel to lockdownCheckFailed, oauthTokenCheckFailed, and staleLockFileFailed. Lock files are consistently regenerated across all 256 workflows.
Minor observation (non-blocking): secret_verification_result is conditionally emitted by the activation job (only when EngineHasValidateSecretStep() is true). The new guard is added unconditionally, unlike daily_ai_credits_exceeded which is wrapped in hasMaxDailyAICGuardrail. This is safe (absent output evaluates false), but it is a subtle asymmetry worth noting for future consistency.
Test coverage: TestSecretVerificationFailurePropagatedToConclusionCondition directly verifies the new condition string.
LGTM
🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 41.2 AIC · ⌖ 4.37 AIC · ⊞ 4.8K
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /diagnosing-bugs and /tdd — this is a clean, well-targeted fix. One minor suggestion on test precision (see inline comment).
📋 Key Themes & Highlights
Key Themes
- Correct root-cause fix: the missing OR arm in
buildConclusionJobConditionis precisely the right place to hook this; the forwarding ofGH_AW_SECRET_VERIFICATION_RESULTthroughbuildAgentFailureCoreVarswas already in place - Pattern consistency: follows the exact same shape as
oauth_token_check_failedandlockdown_check_failedpropagation - Test covers the generated output:
TestSecretVerificationFailurePropagatedToConclusionConditioncompiles a real workflow and asserts the lock file contains the expected condition — solid regression guard
One Observation
- The string-containment assertion in the new test works, but could be tightened to assert specifically on the conclusion job's
if:field (see inline comment)
Positive Highlights
- ✅ Minimal, surgical diff — only the
buildConclusionJobConditionOR chain and its test change - ✅ Lock files regenerated consistently
- ✅ Changeset entry is accurate and descriptive
- ✅ Unrelated
mix new --forceremoval is a clean separate improvement
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 48.2 AIC · ⌖ 4.55 AIC · ⊞ 6.6K
Comment /matt to run again
| // Check that the conclusion job condition includes secret_verification_result == 'failed' | ||
| // so the conclusion job runs when the token is missing (causing activation to fail and agent to be skipped). | ||
| if !strings.Contains(lockStr, "needs.activation.outputs.secret_verification_result == 'failed'") { | ||
| t.Error("Expected conclusion job condition to include secret_verification_result == 'failed' so it runs when the token is missing") |
There was a problem hiding this comment.
[/tdd] The assertion checks string containment anywhere in the lock file — it could in theory match the condition outside the conclusion job's if: clause. Consider tightening the assertion to verify the condition appears within the conclusion job's block specifically (e.g., with a regex or by parsing the YAML).
💡 Suggested approach
Parse the lock file as YAML and assert directly on the conclusion job's if field:
var lockYAML map[string]interface{}
if err := yaml.Unmarshal(lockContent, &lockYAML); err != nil {
t.Fatalf("Failed to parse lock file: %v", err)
}
jobs := lockYAML["jobs"].(map[string]interface{})
conclusionJob := jobs["conclusion"].(map[string]interface{})
condition := conclusionJob["if"].(string)
if !strings.Contains(condition, "needs.activation.outputs.secret_verification_result == 'failed'") {
t.Error("Expected conclusion job 'if' to include secret_verification_result == 'failed'")
}This is low-risk given how specific the searched string is, but the tighter assertion would make the test intent explicit and prevent false passes if the string ever appears elsewhere.
@copilot please address this.
There was a problem hiding this comment.
REQUEST_CHANGES — one high correctness issue
The core fix is correct and the pattern is right. However there is a parity bug between how the env var () is injected and how the condition is emitted.
Blocking issue: buildConclusionJobCondition always appends the secret_verification_result == 'failed' guard regardless of engine, but the activation job only declares that output when EngineHasValidateSecretStep returns true. Engines backed by BaseEngine (and any engine returning an empty validation step) will compile lock files with a dangling condition clause that is always-false. The env-var injection at line 210–212 is correctly gated — the condition needs the same gate.
A negative test to cover this is also missing.
Details
- High (): condition unconditionally emitted for all engines even when the output is never set.
- Medium (): no negative test asserts the condition is absent for non-validating engines.
🔎 Code quality review by PR Code Quality Reviewer · 85.6 AIC · ⌖ 4.63 AIC · ⊞ 5.4K
Comment /review to run again
| oauthTokenCheckFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.oauth_token_check_failed", constants.ActivationJobName)), BuildStringLiteral("true")) | ||
| staleLockFileFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.stale_lock_file_failed", constants.ActivationJobName)), BuildStringLiteral("true")) | ||
| activationGuardrailsFailed := BuildOr(lockdownCheckFailed, BuildOr(oauthTokenCheckFailed, staleLockFileFailed)) | ||
| secretVerificationFailed := BuildEquals(BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.secret_verification_result", constants.ActivationJobName)), BuildStringLiteral("failed")) |
There was a problem hiding this comment.
Condition emitted unconditionally for engines that never set secret_verification_result: every workflow compiled for engines using BaseEngine (or any engine whose GetSecretValidationStep returns an empty step) will carry a dangling condition clause — GitHub Actions evaluates the missing output as empty string so == 'failed' is always false, making it dead YAML in those workflows.
The env-var injection at line 210–212 is correctly gated behind EngineHasValidateSecretStep(engine, data). The condition should apply the same guard.
💡 Suggested fix
Add a gated block mirroring the hasMaxDailyAICGuardrail pattern already at line 475:
if EngineHasValidateSecretStep(engine, data) {
secretVerificationFailed := BuildEquals(
BuildPropertyAccess(fmt.Sprintf("needs.%s.outputs.secret_verification_result", constants.ActivationJobName)),
BuildStringLiteral("failed"),
)
activationGuardrailsFailed = BuildOr(activationGuardrailsFailed, secretVerificationFailed)
}This requires passing engine into buildConclusionJobCondition, the same way buildAgentFailureCoreVars already receives it.
|
|
||
| // Check that the conclusion job condition includes secret_verification_result == 'failed' | ||
| // so the conclusion job runs when the token is missing (causing activation to fail and agent to be skipped). | ||
| if !strings.Contains(lockStr, "needs.activation.outputs.secret_verification_result == 'failed'") { |
There was a problem hiding this comment.
No negative test: the condition should be absent for engines that skip secret validation. The new test only asserts the condition IS present, but there is no test asserting it is absent for e.g. BaseEngine-based engines or the WASM engine. As written, the condition is unconditionally emitted for all engines (see companion comment on notify_comment_conclusion_helpers.go:473), so a negative test would fail today — but adding it would immediately expose the correctness gap and lock in the intended behavior after it is fixed.
💡 Suggested fix
Add a sibling test that compiles a workflow with an engine that has no secret validation step and asserts the condition is not present:
func TestSecretVerificationConditionAbsentForUnsupportedEngine(t *testing.T) {
// e.g. compile with engine: gemini or a base engine variant
// assert: !strings.Contains(lockStr, "needs.activation.outputs.secret_verification_result")
}This locks in the parity with the EngineHasValidateSecretStep gate used in buildAgentFailureCoreVars.
|
🎉 This pull request is included in a new release. Release: |
When
COPILOT_GITHUB_TOKEN(or equivalent) is missing,validate_multi_secret.shfails the activation job withsecret_verification_result=failed, causing the agent job to be skipped. The conclusion job condition didn't include this case, so it never ran and no failure issue was surfaced to the user.Changes
buildConclusionJobCondition: addsneeds.activation.outputs.secret_verification_result == 'failed'alongside the existinglockdown_check_failed,oauth_token_check_failed, andstale_lock_file_failedguards — same pattern as the recent oauth token propagationTestSecretVerificationFailurePropagatedToConclusionConditionverifies the condition appears in compiled outputGH_AW_SECRET_VERIFICATION_RESULTwas already forwarded tohandle_agent_failure.cjsviabuildAgentFailureCoreVars— only the job condition was missing.