Regenerate agentic workflow lock files#8224
Conversation
Lock files were out-of-date relative to their .md sources, causing the Issue Arborist scheduled run to fail with ERR_CONFIG (frontmatter hash mismatch). Regenerated via 'gh aw compile' (v0.72.1): - issue-arborist.lock.yml: drops DIFC proxy steps (PR #8185 made the Fetch issues data step use the REST API directly so the proxy is no longer needed). - address-review.agent.lock.yml: activation condition aligned with the .md source (review.state == 'changes_requested' instead of != 'approved') introduced by PR #8181. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…rkflows Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR regenerates gh-aw workflow lock files so they match their markdown workflow sources and restore scheduled/agentic workflow consistency.
Changes:
- Updates Issue Arborist lock metadata and removes obsolete DIFC proxy plumbing from the generated workflow.
- Aligns Address Review Comments activation conditions with the source workflow’s
changes_requestedtrigger. - Refreshes generated heredoc delimiter names and lock hashes from
gh aw compile.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/issue-arborist.lock.yml |
Regenerated Issue Arborist lock file with updated metadata and REST API fetch step environment. |
.github/workflows/address-review.agent.lock.yml |
Regenerated Address Review lock file with updated activation condition and metadata. |
Copilot's findings
- Files reviewed: 3/3 changed files
- Comments generated: 0
Evangelink
left a comment
Evangelink
left a comment
There was a problem hiding this comment.
Expert Review — PR #8224: Regenerate agentic workflow lock files
All 21 review dimensions assessed. Only .github/ files changed; C#-specific dimensions are N/A.
| # | Dimension | Result |
|---|---|---|
| 1 | Algorithmic Correctness | ✅ See note below |
| 2 | Threading & Concurrency | N/A |
| 3 | Security & IPC Contract Safety | ✅ |
| 4 | Public API & Binary Compatibility | N/A |
| 5 | Performance & Allocations | N/A |
| 6 | Cross-TFM Compatibility | N/A |
| 7 | Resource & IDisposable Management | N/A |
| 8 | Defensive Coding at Boundaries | N/A |
| 9 | Localization & Resources | N/A |
| 10 | Test Isolation | N/A |
| 11 | Assertion Quality | N/A |
| 12 | Flakiness Patterns | N/A |
| 13 | Test Completeness & Coverage | N/A |
| 14 | Data-Driven Test Coverage | N/A |
| 15 | Code Structure & Simplification | ✅ |
| 16 | Naming & Conventions | ✅ |
| 17 | Documentation Accuracy | ✅ |
| 18 | Analyzer & Code Fix Quality | N/A |
| 19 | IPC Wire Compatibility | N/A |
| 20 | Build Infrastructure & Dependencies | ✅ |
| 21 | Scope & PR Discipline | ✅ |
Dimension 1 — Algorithmic Correctness (MAJOR): ✅ Intentional semantic tightening
The activation condition in address-review.agent.lock.yml changed from:
github.event.review.state != 'approved'
to:
github.event.review.state == 'changes_requested'
This is more restrictive — the old condition also fired on commented and dismissed review states, which was likely unintentional. The new condition correctly matches only explicit change-request reviews, which aligns with the .md source introduced in PR #8181. The PR description confirms this is intentional.
The shell quoting fix in issue-arborist.lock.yml ("${GH_AW_GITHUB_REPOSITORY}" → "$GH_AW_GITHUB_REPOSITORY") is stylistically equivalent in bash and poses no correctness risk.
Dimension 3 — Security: ✅
Removing the DIFC proxy plumbing (GH_HOST, GITHUB_API_URL, NODE_EXTRA_CA_CERTS, Start/Stop DIFC Proxy steps) reduces the attack surface of the workflow. The Fetch issues data step now calls the GitHub REST API directly via curl with a scoped token, which is simpler and auditable.
Dimension 17 — Documentation Accuracy: ✅
The new guidelines in .github/copilot-instructions.md are clear and accurate:
- "NEVER hand-edit
.lock.ymlfiles" is a correct and enforceable rule. - "Always compile in strict mode" is consistent with the existing lock files (all have
"strict":truein their metadata).
Dimension 20 — Build Infrastructure: ✅
Lock file metadata hashes are updated consistently with the compiler version (v0.72.1) already in use. No new workflow triggers or permissions changes.
Dimension 21 — Scope & PR Discipline: ✅
PR is well-scoped: two regenerated lock files + matching instructions update. Cross-references to PRs #8181 and #8185 are explicit in the PR body. No unrelated changes.
Verdict: Clean. No issues found. The changes are machine-generated (as intended), the behavioral tightening of the address-review activation condition is correct and intentional, and the documentation addition is accurate.
Generated by Expert Code Review (on open) for issue #8224 · ● 6.2M
The scheduled Issue Arborist run #25866432274 failed at the
Check workflow lock filestep:Running
gh aw compile(v0.72.1, the same version recorded in the lock files) regenerates two lock files that drifted from their.mdsources:GH_HOST/GITHUB_API_URL/NODE_EXTRA_CA_CERTSenv on theFetch issues datastep. PR fix(aw): Issue Arborist - replace gh CLI with curl REST API to bypass DIFC proxy /meta block #8185 already switched that step to call the REST API directly viacurl, so the proxy plumbing isn't needed..mdintroduced in PR Add autofix review loop for Copilot PRs #8181 hasgithub.event.review.state == 'changes_requested'but the committed lock file still had!= 'approved'. Compile now aligns them.No source/markdown changes — only the regenerated YAML lock files.