Skip to content

[gh-aw] Bump gh-aw setup action to v0.81.6 across PAT pool workflows#11823

Merged
simonrozsival merged 5 commits into
mainfrom
jonathanpeppers-automatic-waffle
Jul 1, 2026
Merged

[gh-aw] Bump gh-aw setup action to v0.81.6 across PAT pool workflows#11823
simonrozsival merged 5 commits into
mainfrom
jonathanpeppers-automatic-waffle

Conversation

@jonathanpeppers

Copy link
Copy Markdown
Member

Follow-up to #11757.

The validate-pat-pool.yml workflow added in #11757 was still pinned to github/gh-aw-actions/setup@v0.71.5, while the compiled agentic workflows and .github/aw/actions-lock.json were on v0.80.9. That version drift defeats the purpose of validation, since PATs were being exercised with a different install_copilot_cli.sh than the workflows that actually consume them (raised in this review comment).

This PR aligns everything to the gh-aw release currently installed in the repo's toolchain (v0.81.6):

  • Bumps validate-pat-pool.yml to use setup@v0.81.6.
  • Re-runs gh aw compile, which regenerates android-reviewer.lock.yml, nightly-fix-finder.lock.yml, agentics-maintenance.yml, and the actions-lock.json to v0.81.6 (and re-adds the setup-cli@v0.81.6 lock entry).

No behavior change beyond the upstream gh-aw bump itself; the recompile is the standard mechanical output. The other review comments on #11757 (Copilot CLI version, fallback wording, permissions: {}) are intentionally left for a separate change.

jonathanpeppers and others added 2 commits June 30, 2026 10:24
The compiled agentic workflows and .github/aw/actions-lock.json use
github/gh-aw-actions/setup v0.80.9, but validate-pat-pool.yml was
still pinned to v0.71.5. Using the same version everywhere keeps the
helper scripts (including install_copilot_cli.sh) consistent and
avoids validation drift.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Also bump validate-pat-pool.yml setup action to v0.81.6 to match.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 30, 2026 15:25
@jonathanpeppers

Copy link
Copy Markdown
Member Author

/review

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

Android PR Reviewer completed successfully!

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Aligns the repository’s PAT-pool-related agentic workflows to the currently installed gh-aw toolchain release (v0.81.6) so validation and compiled workflows use the same gh-aw setup scripts and locked action SHAs.

Changes:

  • Bump validate-pat-pool.yml to github/gh-aw-actions/setup@v0.81.6 (pinned by SHA).
  • Regenerate compiled lock workflows to gh-aw v0.81.6 output (including updated container/image/tool versions and new generated wiring such as runtime features and MCP gateway config).
  • Update .github/aw/actions-lock.json to include setup-cli@v0.81.6 and update setup@v0.81.6.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
.github/workflows/validate-pat-pool.yml Updates gh-aw setup action pin to v0.81.6 for PAT pool validation workflow.
.github/workflows/nightly-fix-finder.lock.yml Regenerated compiled workflow with v0.81.6 pins and updated generated logic.
.github/workflows/android-reviewer.lock.yml Regenerated compiled workflow with v0.81.6 pins and updated generated logic.
.github/workflows/agentics-maintenance.yml Regenerated maintenance workflow output for v0.81.6 tooling (including action pins and CLI install step).
.github/aw/actions-lock.json Updates action lock entries to match v0.81.6 (adds setup-cli, updates setup).

Comment thread .github/workflows/nightly-fix-finder.lock.yml
Comment thread .github/workflows/android-reviewer.lock.yml

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Review — [gh-aw] Bump gh-aw setup action to v0.81.6

Verdict: ✅ LGTM (one optional 💡 follow-up posted inline)

This is a clean, mostly mechanical gh-aw version-alignment PR. The hand-edited change (validate-pat-pool.yml) and the recompiled outputs are internally consistent.

Verified

  • SHA consistencysetup and setup-cli both pin ba6380cc6e5be5d21677bebe04d52fb48e3abec7. This is correct: they are path-based actions in the same github/gh-aw-actions repo at tag v0.81.6, so they share a commit SHA.
  • Source ↔ lock match — the setup@...v0.81.6 pin in validate-pat-pool.yml matches the actions-lock.json entry and all recompiled .lock.yml files (every setup/setup-cli ref in the touched files is v0.81.6).
  • No network-access expansion — the firewall allowDomains allowlists in the recompiled workflows are unchanged.
  • Bundled mechanical changes are expectedactions/checkout@v6.0.3 → v7.0.0, script-injection hardening (${{ inputs.* }}$GH_AW_* env vars), and the gh aw logs --count 100 → 500 / --report-file tweaks all come from the upstream v0.81.6 codegen, not hand edits.
  • Deferred items acknowledged — the PR explicitly leaves the Copilot CLI version, permissions: {}, and fallback wording for a separate change; not flagged here.

Finding (inline)

  • 💡 The "align everything" goal is incomplete: .github/workflows/copilot-setup-steps.yml is another hand-maintained workflow that still pins setup-cli@...v0.79.6 and installs gh-aw v0.68.3. gh aw compile doesn't touch it, so it stays drifted unless bumped manually. Optional to include here vs. a fast follow-up.

CI

Build matrix (dotnet-android Windows/Linux/Mac) was still in progress at review time; license/cla passed. The pre_activation: failure belongs to a gh-aw workflow activation-gate run, not the product build of this PR.

Minor (non-blocking)

The description says the compiled workflows were "on v0.80.9", but agentics-maintenance.yml was actually on v0.79.8 — i.e. the drift was slightly worse than stated. End state is consistent regardless.

Generated by Android PR Reviewer for issue #11823 · 206.2 AIC · ⌖ 27.7 AIC · ⊞ 6.7K
Comment /review to run again

Comment thread .github/workflows/validate-pat-pool.yml
jonathanpeppers and others added 3 commits June 30, 2026 10:37
The pull_request trigger fired on workflow-edit PRs, but the
pat_pool job runs in the protected copilot-pat-pool environment
which rejects PR refs, so every workflow-edit PR ended with a
failed check. Nightly-fix-finder doesn't need PR-event runs;
schedule + workflow_dispatch are enough.

Add stop-after as a kill-switch so gh-aw still emits a pre_activation
job (which the shared pat_pool import depends on).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The pull_request trigger fired on workflow-edit PRs, but the
pat_pool job runs in the protected copilot-pat-pool environment
which rejects PR refs, so every workflow-edit PR ended with a
failed check on this workflow. Nightly-fix-finder doesn't need
PR-event runs; schedule + workflow_dispatch are enough.

Removing the trigger broke compilation because shared/pat_pool.md
hard-coded 'needs: [pre_activation]', and pre_activation is only
emitted by gh-aw when the workflow has a permission/role check,
stop-after, skip-if, on.steps, etc. Schedule-only workflows have
none of those.

Fix at the source: drop the explicit dependency in pat_pool.md.
gh-aw automatically rewrites pat_pool's needs to depend on the
activation job instead, which in android-reviewer still depends
on pre_activation transitively, so the role check still gates
actual work. nightly-fix-finder now compiles cleanly with no
kill-switch hack required.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Use a sentinel paths: filter that no real PR will ever touch.
The trigger stays present in frontmatter (which keeps gh-aw
happy: shared/pat_pool.md's pat_pool job depends on a
pre_activation job that gh-aw only emits when there's a
permission/role/PR-style anchor), but no actual PR run will
ever fire, so the protected copilot-pat-pool environment is
never entered from a PR ref.

This replaces the earlier approach of removing needs: pre_activation
from shared/pat_pool.md, which mutated that file (authored by
someone else) and reparented android-reviewer's pat_pool job.
With this commit, android-reviewer.lock.yml is bit-identical to
the pre-fix baseline.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jonathanpeppers jonathanpeppers added the ready-to-review This PR is ready to review/merge, I think any CI failures are just flaky (ignorable). label Jun 30, 2026
@simonrozsival simonrozsival merged commit 1731326 into main Jul 1, 2026
40 checks passed
@simonrozsival simonrozsival deleted the jonathanpeppers-automatic-waffle branch July 1, 2026 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-to-review This PR is ready to review/merge, I think any CI failures are just flaky (ignorable).

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants