Skip to content

fix(ci): regenerate gh-aw workflow locks#58

Merged
duyet merged 1 commit into
masterfrom
codex/fix-daily-repo-status-gh-aw
Apr 24, 2026
Merged

fix(ci): regenerate gh-aw workflow locks#58
duyet merged 1 commit into
masterfrom
codex/fix-daily-repo-status-gh-aw

Conversation

@duyet

@duyet duyet commented Apr 24, 2026

Copy link
Copy Markdown
Owner

Summary

  • Regenerate Daily Repo Status and Metrics Collector lock files with gh-aw v0.68.3.
  • Update gh-aw action lock metadata for the new setup action and github-script v9 pins.
  • Fix the prompt setup path so gh-aw prompt assets are read from the setup temp directory instead of the old /opt/gh-aw prompt location.

Closes #11.

Verification

  • gh aw compile daily-repo-status metrics-collector --no-emit --validate --no-check-update (0 errors, 2 safe-update warnings)
  • bash scripts/validate-plugins.sh
  • git diff --check

Security review

The gh-aw v0.68.3 compiler emitted safe-update warnings for restricted secrets CODEX_API_KEY and OPENAI_API_KEY. I reviewed the regenerated locks: these secrets are used only by the Codex/OpenAI engine validation and agent execution paths generated by gh-aw, are excluded from the firewall environment where appropriate, and are included in redaction handling. The workflows already depended on Codex/OpenAI execution; this regeneration records that use in the new v3 lock manifest rather than adding an unrelated secret flow.

The new generated action entry is github/gh-aw-actions/setup@ba90f2186d7ad780ec640f364005fa24e797b360 for v0.68.3, replacing the stale github/gh-aw/actions/setup path that caused the missing prompt-file failure.

Summary by Sourcery

Regenerate and modernize the Daily Repo Status and Metrics Collector GitHub Actions workflows using gh-aw v0.68.3, updating metadata, schedules, setup paths, and security/telemetry handling while keeping behavior aligned with the new agentic workflows framework.

Bug Fixes:

  • Ensure gh-aw prompt and action assets are loaded from the runner temporary directory instead of the deprecated /opt/gh-aw paths, fixing missing prompt-file failures in CI.

Enhancements:

  • Regenerate daily-repo-status and metrics-collector lock files with gh-aw v0.68.3, including updated schema_version v3 metadata and explicit manifests for secrets, actions, and container images.
  • Update workflows to use the github/gh-aw-actions/setup action, newer github-script v9, and refreshed container images and AWF versions for the firewall and MCP gateway.
  • Extend activation, agent, detection, conclusion, and safe_outputs jobs with richer telemetry, token usage reporting, lockfile freshness checks, and GitHub MCP guard policies.
  • Refine safe outputs configuration, including additional tools (noop, report_incomplete, create_report_incomplete_issue) and structured validation for safer automated issue creation and reporting.
  • Adjust cron schedules and workflow-dispatch inputs for both workflows to better match current operational requirements.
  • Improve repo-memory push and artifact handling in metrics-collector, including concurrency guards and validation/patch size reporting.

CI:

  • Refresh gh-aw GitHub Actions workflow locks and associated CI wiring to align with gh-aw v0.68.3’s conventions and security model.

Regenerate Daily Repo Status and Metrics Collector lock files with gh-aw v0.68.3 so prompt assets are read from the setup action temp directory instead of the old /opt/gh-aw prompt path.

Update the gh-aw action lock cache for the v0.68.3 setup action and actions/github-script v9 pins.

Co-Authored-By: duyetbot <duyetbot@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Apr 24, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@duyet has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 42 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 22 minutes and 42 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9d1f3707-1777-4b7c-bcd2-9b07b2b00dac

📥 Commits

Reviewing files that changed from the base of the PR and between 6234bca and b4d024b.

📒 Files selected for processing (3)
  • .github/aw/actions-lock.json
  • .github/workflows/daily-repo-status.lock.yml
  • .github/workflows/metrics-collector.lock.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-daily-repo-status-gh-aw

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sourcery-ai

sourcery-ai Bot commented Apr 24, 2026

Copy link
Copy Markdown

Reviewer's Guide

Regenerates the Daily Repo Status and Metrics Collector workflow lockfiles with gh-aw v0.68.3, updating the setup action location, prompt/safe-output paths, MCP gateway and firewall configuration, Codex/AWF versions, job wiring, and adding explicit manifest/metadata for secrets, actions, and containers.

Sequence diagram for updated Daily Repo Status workflow job orchestration

sequenceDiagram
    actor Scheduler
    participant DailyRepoStatus as daily_repo_status_workflow
    participant ActivationJob as activation_job
    participant AgentJob as agent_job
    participant DetectionJob as detection_job
    participant SafeOutputsJob as safe_outputs_job
    participant ConclusionJob as conclusion_job
    participant ArtifactStore as actions_artifacts

    Scheduler->>DailyRepoStatus: trigger (cron 53 20 * * * or workflow_dispatch)

    DailyRepoStatus->>ActivationJob: start activation job
    ActivationJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
    ActivationJob->>actions_github_script_v9: generate_aw_info, validate_multi_secret, check_lock_file, check_version_updates
    ActivationJob->>actions_checkout_v6: checkout .github and .agents
    ActivationJob->>ActivationJob: create_prompt_first (using RUNNER_TEMP paths)
    ActivationJob->>ActivationJob: interpolate_prompt, substitute_placeholders
    ActivationJob->>ActivationJob: validate_prompt_placeholders, print_prompt_summary
    ActivationJob->>ArtifactStore: upload activation artifact (aw_info.json, prompt, rate_limits)
    ActivationJob-->>DailyRepoStatus: outputs(model, secret_verification_result, setup-trace-id, lockdown_check_failed, stale_lock_file_failed)

    DailyRepoStatus->>AgentJob: start agent job (needs.activation)
    AgentJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
    AgentJob->>actions_checkout_v6: checkout repository
    AgentJob->>github_gh_aw_actions_setup: create_gh_aw_tmp_dir, configure_gh_for_ghe
    AgentJob->>actions_github_script_v9: determine_automatic_lockdown
    AgentJob->>github_gh_aw_actions_setup: download_docker_images (firewall, mcpg, github-mcp-server, node)
    AgentJob->>actions_setup_node_v6_3_0: setup Node 24
    AgentJob->>CodexCLI: npm install @openai/codex@0.118.0
    AgentJob->>AWF_0_25_20: install_awf_binary v0.25.20
    AgentJob->>AgentJob: write_safe_outputs_config and tools (under RUNNER_TEMP)
    AgentJob->>SafeOutputsServer: start_safe_outputs_server.sh (HTTP MCP server)
    AgentJob->>MCPGateway: start_mcp_gateway.sh (docker mcpg v0.2.19, github-mcp-server v0.32.0)
    AgentJob->>ArtifactStore: download activation artifact (prompt, aw_info.json)
    AgentJob->>AWF_0_25_20: sandboxed codex exec with prompt.txt
    AWF_0_25_20->>CodexAPI: model gpt-5.1-codex-mini (via api.openai.com)
    AWF_0_25_20->>MCPGateway: tools (github, safeoutputs)
    AgentJob->>AgentJob: redact_secrets.cjs on logs
    AgentJob->>AgentJob: collect_ndjson_output.cjs from GH_AW_SAFE_OUTPUTS
    AgentJob->>AgentJob: parse_codex_log.cjs, parse_mcp_gateway_log.cjs, parse_token_usage.cjs
    AgentJob->>ArtifactStore: upload agent artifacts (prompt, logs, safeoutputs.jsonl, agent_output.json, patches)
    AgentJob-->>DailyRepoStatus: outputs(effective_tokens, model, checkout_pr_success, setup-trace-id)

    alt agent produced patches or outputs
        DailyRepoStatus->>DetectionJob: start detection job (needs.activation, needs.agent)
        DetectionJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
        DetectionJob->>ArtifactStore: download agent artifacts
        DetectionJob->>DetectionJob: setup_threat_detection.cjs
        DetectionJob->>AWF_0_25_20: sandboxed detection codex exec (separate log)
        AWF_0_25_20->>CodexAPI: detection model gpt-5.1-codex-mini
        DetectionJob->>ArtifactStore: upload detection.log
        DetectionJob->>DetectionJob: parse_threat_detection_results.cjs
        DetectionJob-->>DailyRepoStatus: outputs(detection_conclusion, detection_reason, detection_success)
    else no patches and no outputs
        DetectionJob-->>DailyRepoStatus: skipped
    end

    opt detection_success == 'success'
        DailyRepoStatus->>SafeOutputsJob: start safe_outputs job (needs.activation, needs.agent, needs.detection)
        SafeOutputsJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
        SafeOutputsJob->>ArtifactStore: download agent artifacts
        SafeOutputsJob->>actions_github_script_v9: safe_output_handler_manager.cjs
        SafeOutputsJob->>GitHubAPI: create_issue, missing_tool, missing_data, noop, report_incomplete
        SafeOutputsJob->>ArtifactStore: upload safe-outputs-items manifest
        SafeOutputsJob-->>DailyRepoStatus: outputs(created_issue_number, created_issue_url,...)
    end

    DailyRepoStatus->>ConclusionJob: start conclusion job (needs.activation, agent, detection, safe_outputs)
    ConclusionJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
    ConclusionJob->>ArtifactStore: download agent artifacts
    ConclusionJob->>actions_github_script_v9: handle_noop_message.cjs, handle_detection_runs.cjs, missing_tool.cjs, report_incomplete_handler.cjs, handle_agent_failure.cjs
    ConclusionJob->>GitHubIssuesAPI: create followup or failure issues as needed
    ConclusionJob-->>DailyRepoStatus: final outputs (noop_message, tools_reported, incomplete_count)
Loading

Sequence diagram for updated Metrics Collector workflow orchestration

sequenceDiagram
    actor Scheduler
    participant MetricsCollector as metrics_collector_workflow
    participant PreActivationJob as pre_activation_job
    participant ActivationJob as activation_job
    participant AgentJob as agent_job
    participant PushRepoMemoryJob as push_repo_memory_job
    participant ArtifactStore as actions_artifacts

    Scheduler->>MetricsCollector: trigger (cron 40 12 * * * or workflow_dispatch)

    MetricsCollector->>PreActivationJob: start pre_activation job
    PreActivationJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
    PreActivationJob->>actions_github_script_v9: check_membership.cjs (GH_AW_REQUIRED_ROLES)
    PreActivationJob-->>MetricsCollector: outputs(activated, setup-trace-id)

    alt caller has required roles
        MetricsCollector->>ActivationJob: start activation job (needs.pre_activation)
        ActivationJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
        ActivationJob->>actions_github_script_v9: generate_aw_info.cjs
        ActivationJob->>actions_github_script_v9: validate_multi_secret.sh via run step
        ActivationJob->>actions_checkout_v6: checkout .github and .agents
        ActivationJob->>ActivationJob: create_prompt_first.sh (RUNNER_TEMP prompts)
        ActivationJob->>ActivationJob: interpolate_prompt.cjs, substitute_placeholders.cjs
        ActivationJob->>ActivationJob: validate_prompt_placeholders.sh, print_prompt_summary.sh
        ActivationJob->>ArtifactStore: upload activation artifact (aw_info.json, prompt, rate_limits)
        ActivationJob-->>MetricsCollector: outputs(model, secret_verification_result, setup-trace-id, lockdown_check_failed, stale_lock_file_failed)

        MetricsCollector->>AgentJob: start agent job (needs.activation)
        AgentJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
        AgentJob->>actions_checkout_v6: checkout repository
        AgentJob->>github_gh_aw_actions_setup: create_gh_aw_tmp_dir.sh, configure_gh_for_ghe.sh
        AgentJob->>github_gh_aw_actions_setup: clone_repo_memory_branch.sh (repo-memory/default)
        AgentJob->>actions_github_script_v9: determine_automatic_lockdown.cjs
        AgentJob->>github_gh_aw_actions_setup: download_docker_images.sh (alpine, firewall, mcpg, github-mcp-server)
        AgentJob->>Env: install gh-aw extension and copy gh-aw binary to RUNNER_TEMP
        AgentJob->>actions_setup_node_v6_3_0: setup Node 24
        AgentJob->>CodexCLI: npm install @openai/codex@0.118.0
        AgentJob->>AWF_0_25_20: install_awf_binary v0.25.20
        AgentJob->>MCPGateway: start_mcp_gateway.sh (agenticworkflows via gh-aw binary, github-mcp-server v0.32.0)
        AgentJob->>ArtifactStore: download activation artifact
        AgentJob->>AWF_0_25_20: sandboxed codex exec for metrics collector prompt
        AWF_0_25_20->>CodexAPI: model gpt-5.1-codex-mini
        AWF_0_25_20->>MCPGateway: tools (agenticworkflows, github)
        AgentJob->>AgentJob: redact_secrets.cjs, parse_codex_log.cjs, parse_mcp_gateway_log.cjs, parse_token_usage.cjs
        AgentJob->>ArtifactStore: upload repo-memory-default and agent artifacts
        AgentJob-->>MetricsCollector: outputs(effective_tokens, model, checkout_pr_success, setup-trace-id)

        MetricsCollector->>PushRepoMemoryJob: start push_repo_memory job (needs.activation, needs.agent)
        PushRepoMemoryJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
        PushRepoMemoryJob->>actions_checkout_v6: checkout repository
        PushRepoMemoryJob->>actions_download_artifact_v8: download repo-memory-default
        PushRepoMemoryJob->>actions_github_script_v9: push_repo_memory.cjs (validate, commit, push memory/meta-orchestrators)
        PushRepoMemoryJob->>GitHubRepoMemoryBranch: push updated metrics files
        PushRepoMemoryJob-->>MetricsCollector: outputs(validation_failed_default, validation_error_default, patch_size_exceeded_default)
    else caller lacks required roles
        ActivationJob-->>MetricsCollector: skipped (activated == false)
        AgentJob-->>MetricsCollector: skipped
        PushRepoMemoryJob-->>MetricsCollector: skipped
    end
Loading

File-Level Changes

Change Details Files
Regenerate gh-aw lock metadata and manifests to v3/v0.68.3 with explicit secrets, actions, and container images for both workflows.
  • Add gh-aw-metadata v3 headers including compiler version v0.68.3, agent id/model, and strict mode flags.
  • Add gh-aw-manifest blocks listing all referenced secrets, pinned GitHub Actions, and container images.
  • Update generated comment banner lines and gh-aw version references from v0.50.4 to v0.68.3.
.github/workflows/daily-repo-status.lock.yml
.github/workflows/metrics-collector.lock.yml
Switch to github/gh-aw-actions/setup and move gh-aw assets, prompts, and safe-outputs from /opt/gh-aw into the runner temp directory, wiring new outputs and IDs.
  • Replace uses of github/gh-aw/actions/setup with github/gh-aw-actions/setup pinned to commit ba90f2..., adding job-name and trace-id inputs.
  • Change all hardcoded /opt/gh-aw paths (scripts, prompts, safeoutputs) to use ${{ runner.temp }}/gh-aw or $RUNNER_TEMP, including create_prompt, validate_prompt, print_prompt, safe-outputs config, and helper scripts.
  • Add setup step IDs and propagate setup-trace-id outputs across activation/agent/detection/conclusion/safe_outputs/push_repo_memory jobs.
.github/workflows/daily-repo-status.lock.yml
.github/workflows/metrics-collector.lock.yml
Expand activation and prompt-generation flows, including new aw_info generation, lockfile/version checks, prompt templates, and workflow-dispatch inputs.
  • Introduce Generate agentic run info steps that write /tmp/gh-aw/aw_info.json and expose model and lockdown_check_failed via outputs.
  • Add Check workflow lock file and Check compile-agentic version steps using actions/github-script v9 and new environment variables such as GH_AW_CONTEXT_WORKFLOW_REF and GH_AW_COMPILED_VERSION.
  • Enhance prompt creation to use new prompt IDs, additional prompt templates (e.g., github_mcp_tools_with_safeoutputs_prompt, agentic_workflows_guide), GH_AW_WIKI_NOTE, and updated lists including noop and new handlers.
  • Add workflow_dispatch inputs.aw_context to both workflows.
.github/workflows/daily-repo-status.lock.yml
.github/workflows/metrics-collector.lock.yml
Harden safe-outputs handling and MCP gateway configuration, including HTTP server, tool schemas, guard policies, and token parsing.
  • Generate safe-outputs config and tools via dedicated steps and a new generate_safe_outputs_tools.cjs helper instead of static JSON, with richer validation and additional handlers (report_incomplete, create_report_incomplete_issue, noop with report-as-issue).
  • Run a Safe Outputs MCP HTTP server with config and tools paths in the temp directory, wiring GH_AW_SAFE_OUTPUTS path via set-runtime-paths and passing it to gateway and downstream steps.
  • Update MCP gateway Docker command and config.toml for both workflows to use gh-aw-mcpg:v0.2.19, github-mcp-server:v0.32.0, payload size thresholds, GitHub MCP guard policies (allow-only/write-sink), and include GH_AW_SAFE_OUTPUTS_* envvars.
  • Add steps to copy safe outputs to /tmp/gh-aw, ingest NDJSON output, upload safe-outputs items manifests, and parse token usage from gateway logs.
.github/workflows/daily-repo-status.lock.yml
.github/workflows/metrics-collector.lock.yml
Upgrade Codex CLI, AWF/firewall stack, and tighten sandboxing and logging for agent and detection execution.
  • Bump Codex CLI from @openai/codex@0.104.0 to 0.118.0, and AWF image tag from 0.23.0 to 0.25.20 across agent and detection jobs.
  • Update awf invocations to mount ${RUNNER_TEMP}/gh-aw into the container, add audit-dir, exclude sensitive env vars (CODEX_API_KEY, OPENAI_API_KEY, GITHUB_MCP_SERVER_TOKEN, MCP_GATEWAY_API_KEY), and disable web_search/fetch tools.
  • Extend allowed domains lists to include www.googleapis.com and keep them consistent between agent, detection, and safe_outputs flows.
  • Write agent-step-summary.md and append it via append_agent_step_summary.sh, ensure agent_output.json placeholder is created when missing, and upload consolidated agent artifacts (prompts, usage, logs, safeoutputs, patches/bundles, firewall logs).
.github/workflows/daily-repo-status.lock.yml
.github/workflows/metrics-collector.lock.yml
Restructure downstream orchestration jobs (detection, conclusion, safe_outputs, push_repo_memory) to consume new artifacts and outputs and to integrate with detection results and repo memory.
  • For daily-repo-status, split jobs into activation, agent, detection, conclusion, and safe_outputs, passing model, effective_tokens, secret_verification_result, lockdown/stale-lock flags, checkout_pr_success, and detection conclusions between jobs via outputs.
  • Refine detection job to optionally run based on agent outputs, clean firewall artifacts, re-use AWF/Codex stack, parse results via parse_threat_detection_results.cjs, and surface detection_conclusion/reason/success flags.
  • In conclusion, read agent_output and safe-outputs artifacts from the new agent artifact, handle noop/missing_tool/report_incomplete/handle_agent_failure, and log detection runs with new handler scripts.
  • For metrics-collector, update pre_activation to use new setup, enforce team membership roles, and gate activation; update push_repo_memory to run on ubuntu-slim with concurrency, use new setup scripts, and call push_repo_memory.cjs via the temp actions path while exposing validation and patch_size_exceeded outputs.
.github/workflows/daily-repo-status.lock.yml
.github/workflows/metrics-collector.lock.yml
Miscellaneous behavioral tweaks: schedules, permissions, Git configuration, and artifacts naming.
  • Adjust cron schedules for both workflows (daily-repo-status and metrics-collector) to new scattered times.
  • Add actions: read permission in activation jobs and refine other permissions/if conditions (e.g., also handling github.event.issue.pull_request).
  • Normalize Git configuration steps to use GITHUB_TOKEN via env and to re-authenticate remotes consistently in agent and push jobs.
  • Rename artifacts (prompt→activation, agent-artifacts→agent, threat-detection.log→detection) and expand artifact contents to include aw_info, rate-limit logs, and repo memory directories.
.github/workflows/daily-repo-status.lock.yml
.github/workflows/metrics-collector.lock.yml

Assessment against linked issues

Issue Objective Addressed Explanation
#11 Resolve the failure of the Daily Repo Status GitHub Actions workflow so that it can run successfully again on the master branch.

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@github-actions

Copy link
Copy Markdown

Welcome! 👋

Thank you for your first contribution to this project! We appreciate you taking the time to improve our codebase.

Next Steps

  • A maintainer will review your PR shortly
  • Please check for any review comments and address them
  • Feel free to ask questions if anything is unclear

Contribution Guidelines

  • Ensure all tests pass
  • Update documentation if needed
  • Keep changes focused and atomic

Thanks again for contributing! 🎉

@duyet duyet merged commit 02e3ce9 into master Apr 24, 2026
3 checks passed
@duyet duyet deleted the codex/fix-daily-repo-status-gh-aw branch April 24, 2026 12:50

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The cron schedules for daily-repo-status and metrics-collector have changed (1:34 → 20:53 and 22:44 → 12:40); if that wasn’t intentional, it’s worth reverting to the previous run times before merging.
  • The new concurrency group for push_repo_memory (push-repo-memory-${{ github.repository }}|memory/meta-orchestrators) changes how runs are serialized across the repo; please confirm this broader lock scope matches the desired behavior and won’t block unrelated memory pushes.
  • Several steps that previously relied on /opt/gh-aw now reference ${{ runner.temp }}/gh-aw; double‑check any out-of-band tooling or diagnostics that might still assume the old /opt path so they don’t silently break against these regenerated workflows.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The cron schedules for `daily-repo-status` and `metrics-collector` have changed (`1:34 → 20:53` and `22:44 → 12:40`); if that wasn’t intentional, it’s worth reverting to the previous run times before merging.
- The new concurrency group for `push_repo_memory` (`push-repo-memory-${{ github.repository }}|memory/meta-orchestrators`) changes how runs are serialized across the repo; please confirm this broader lock scope matches the desired behavior and won’t block unrelated memory pushes.
- Several steps that previously relied on `/opt/gh-aw` now reference `${{ runner.temp }}/gh-aw`; double‑check any out-of-band tooling or diagnostics that might still assume the old `/opt` path so they don’t silently break against these regenerated workflows.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b4d024b9b8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

- activation
- agent
- detection
if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Gate safe outputs on detection outcome, not job result

This if condition only checks needs.detection.result == 'success', which is the job exit status, not whether threat detection actually passed. In this same workflow, the detection parser runs with GH_AW_DETECTION_CONTINUE_ON_ERROR: "true" and emits detection_conclusion/detection_success, so detection can report findings while the job still ends green; in that case safe_outputs will still run and process/publish agent outputs that should have been blocked. Gate this job on needs.detection.outputs.detection_success == 'true' (or detection_conclusion == 'success') instead.

Useful? React with 👍 / 👎.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the .github/aw/actions-lock.json file by adding entries for actions/github-script@v9 and github/gh-aw-actions/setup@v0.68.3. Feedback indicates that the old, stale version of the setup action should be removed to ensure consistency and prevent the accidental use of the broken path as intended by the PR description.

Comment on lines +13 to +17
"github/gh-aw-actions/setup@v0.68.3": {
"repo": "github/gh-aw-actions/setup",
"version": "v0.68.3",
"sha": "ba90f2186d7ad780ec640f364005fa24e797b360"
},

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The pull request description explicitly states that the new github/gh-aw-actions/setup@v0.68.3 entry replaces the stale github/gh-aw/actions/setup path, which was identified as the cause of a 'missing prompt-file failure'. However, the old entry (lines 18-22) has not been removed from the lock file. To ensure the fix is applied consistently across all workflows and to prevent the accidental use of the broken stale path, the old entry should be deleted if it is no longer required by any other components in the repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[agentics] Daily Repo Status failed

1 participant