Problem
workflows/agentic-wiki-writer.md Step 2c instructs the agent to create a PR adding .github/agentic-wiki/PAGES.md. That PR is unconditionally blocked by the create-pull-request safe-output, because .github/ is in the default protected-path-prefixes.
Reproduction
First-run of the workflow in a repo that has no .github/agentic-wiki/PAGES.md yet.
Agent correctly runs Step 2c and calls create_pull_request with a patch adding .github/agentic-wiki/PAGES.md. Safe-output handler then emits:
Cannot create pull request: patch modifies protected files (.github/agentic-wiki/PAGES.md).
Add them to the allowed-files configuration field or set protected-files: fallback-to-issue
to create a review issue instead.
Full failure log: https://github.com/tidyhq/TidyClub/actions/runs/24343140201
Downstream effect: the manager also cancels the queued push_wiki output ("Code push operation 'create_pull_request' failed — remaining safe outputs will be cancelled"), so the wiki never gets pushed either, even on subsequent runs where PAGES.md already exists — the agent still tries a Step 3h fix-up PR.
Proposed fix
Scope create-pull-request to the template directory and opt in to writing protected paths in the frontmatter:
safe-outputs:
create-pull-request:
title-prefix: "[agentic-wiki]"
labels: [documentation, automated]
allowed-files:
- ".github/agentic-wiki/**"
protected-files: allowedallowed-files scopes the PR to only the template directory; protected-files: allowed is required independently because .github/ is in protected-path-prefixes (per the comment in actions/setup/js/manifest_file_helpers.cjs in gh-aw: "neither overrides the other implicitly").
Verified the fix locally against v0.68.3 — compiled config now includes "allowed_files":[".github/agentic-wiki/**"] and "protected_files_policy":"allowed", and the Step 2c PR creation is expected to succeed on next run.
Happy to open a PR if useful.
Problem
workflows/agentic-wiki-writer.mdStep 2c instructs the agent to create a PR adding.github/agentic-wiki/PAGES.md. That PR is unconditionally blocked by thecreate-pull-requestsafe-output, because.github/is in the defaultprotected-path-prefixes.Reproduction
First-run of the workflow in a repo that has no
.github/agentic-wiki/PAGES.mdyet.Agent correctly runs Step 2c and calls
create_pull_requestwith a patch adding.github/agentic-wiki/PAGES.md. Safe-output handler then emits:Full failure log: https://github.com/tidyhq/TidyClub/actions/runs/24343140201
Downstream effect: the manager also cancels the queued
push_wikioutput ("Code push operation 'create_pull_request' failed — remaining safe outputs will be cancelled"), so the wiki never gets pushed either, even on subsequent runs where PAGES.md already exists — the agent still tries a Step 3h fix-up PR.Proposed fix
Scope
create-pull-requestto the template directory and opt in to writing protected paths in the frontmatter:allowed-filesscopes the PR to only the template directory;protected-files: allowedis required independently because.github/is inprotected-path-prefixes(per the comment inactions/setup/js/manifest_file_helpers.cjsin gh-aw: "neither overrides the other implicitly").Verified the fix locally against v0.68.3 — compiled config now includes
"allowed_files":[".github/agentic-wiki/**"]and"protected_files_policy":"allowed", and the Step 2c PR creation is expected to succeed on next run.Happy to open a PR if useful.