fix(ci): regenerate gh-aw workflow locks#58
Conversation
Regenerate Daily Repo Status and Metrics Collector lock files with gh-aw v0.68.3 so prompt assets are read from the setup action temp directory instead of the old /opt/gh-aw prompt path. Update the gh-aw action lock cache for the v0.68.3 setup action and actions/github-script v9 pins. Co-Authored-By: duyetbot <duyetbot@users.noreply.github.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 22 minutes and 42 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Reviewer's GuideRegenerates the Daily Repo Status and Metrics Collector workflow lockfiles with gh-aw v0.68.3, updating the setup action location, prompt/safe-output paths, MCP gateway and firewall configuration, Codex/AWF versions, job wiring, and adding explicit manifest/metadata for secrets, actions, and containers. Sequence diagram for updated Daily Repo Status workflow job orchestrationsequenceDiagram
actor Scheduler
participant DailyRepoStatus as daily_repo_status_workflow
participant ActivationJob as activation_job
participant AgentJob as agent_job
participant DetectionJob as detection_job
participant SafeOutputsJob as safe_outputs_job
participant ConclusionJob as conclusion_job
participant ArtifactStore as actions_artifacts
Scheduler->>DailyRepoStatus: trigger (cron 53 20 * * * or workflow_dispatch)
DailyRepoStatus->>ActivationJob: start activation job
ActivationJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
ActivationJob->>actions_github_script_v9: generate_aw_info, validate_multi_secret, check_lock_file, check_version_updates
ActivationJob->>actions_checkout_v6: checkout .github and .agents
ActivationJob->>ActivationJob: create_prompt_first (using RUNNER_TEMP paths)
ActivationJob->>ActivationJob: interpolate_prompt, substitute_placeholders
ActivationJob->>ActivationJob: validate_prompt_placeholders, print_prompt_summary
ActivationJob->>ArtifactStore: upload activation artifact (aw_info.json, prompt, rate_limits)
ActivationJob-->>DailyRepoStatus: outputs(model, secret_verification_result, setup-trace-id, lockdown_check_failed, stale_lock_file_failed)
DailyRepoStatus->>AgentJob: start agent job (needs.activation)
AgentJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
AgentJob->>actions_checkout_v6: checkout repository
AgentJob->>github_gh_aw_actions_setup: create_gh_aw_tmp_dir, configure_gh_for_ghe
AgentJob->>actions_github_script_v9: determine_automatic_lockdown
AgentJob->>github_gh_aw_actions_setup: download_docker_images (firewall, mcpg, github-mcp-server, node)
AgentJob->>actions_setup_node_v6_3_0: setup Node 24
AgentJob->>CodexCLI: npm install @openai/codex@0.118.0
AgentJob->>AWF_0_25_20: install_awf_binary v0.25.20
AgentJob->>AgentJob: write_safe_outputs_config and tools (under RUNNER_TEMP)
AgentJob->>SafeOutputsServer: start_safe_outputs_server.sh (HTTP MCP server)
AgentJob->>MCPGateway: start_mcp_gateway.sh (docker mcpg v0.2.19, github-mcp-server v0.32.0)
AgentJob->>ArtifactStore: download activation artifact (prompt, aw_info.json)
AgentJob->>AWF_0_25_20: sandboxed codex exec with prompt.txt
AWF_0_25_20->>CodexAPI: model gpt-5.1-codex-mini (via api.openai.com)
AWF_0_25_20->>MCPGateway: tools (github, safeoutputs)
AgentJob->>AgentJob: redact_secrets.cjs on logs
AgentJob->>AgentJob: collect_ndjson_output.cjs from GH_AW_SAFE_OUTPUTS
AgentJob->>AgentJob: parse_codex_log.cjs, parse_mcp_gateway_log.cjs, parse_token_usage.cjs
AgentJob->>ArtifactStore: upload agent artifacts (prompt, logs, safeoutputs.jsonl, agent_output.json, patches)
AgentJob-->>DailyRepoStatus: outputs(effective_tokens, model, checkout_pr_success, setup-trace-id)
alt agent produced patches or outputs
DailyRepoStatus->>DetectionJob: start detection job (needs.activation, needs.agent)
DetectionJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
DetectionJob->>ArtifactStore: download agent artifacts
DetectionJob->>DetectionJob: setup_threat_detection.cjs
DetectionJob->>AWF_0_25_20: sandboxed detection codex exec (separate log)
AWF_0_25_20->>CodexAPI: detection model gpt-5.1-codex-mini
DetectionJob->>ArtifactStore: upload detection.log
DetectionJob->>DetectionJob: parse_threat_detection_results.cjs
DetectionJob-->>DailyRepoStatus: outputs(detection_conclusion, detection_reason, detection_success)
else no patches and no outputs
DetectionJob-->>DailyRepoStatus: skipped
end
opt detection_success == 'success'
DailyRepoStatus->>SafeOutputsJob: start safe_outputs job (needs.activation, needs.agent, needs.detection)
SafeOutputsJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
SafeOutputsJob->>ArtifactStore: download agent artifacts
SafeOutputsJob->>actions_github_script_v9: safe_output_handler_manager.cjs
SafeOutputsJob->>GitHubAPI: create_issue, missing_tool, missing_data, noop, report_incomplete
SafeOutputsJob->>ArtifactStore: upload safe-outputs-items manifest
SafeOutputsJob-->>DailyRepoStatus: outputs(created_issue_number, created_issue_url,...)
end
DailyRepoStatus->>ConclusionJob: start conclusion job (needs.activation, agent, detection, safe_outputs)
ConclusionJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
ConclusionJob->>ArtifactStore: download agent artifacts
ConclusionJob->>actions_github_script_v9: handle_noop_message.cjs, handle_detection_runs.cjs, missing_tool.cjs, report_incomplete_handler.cjs, handle_agent_failure.cjs
ConclusionJob->>GitHubIssuesAPI: create followup or failure issues as needed
ConclusionJob-->>DailyRepoStatus: final outputs (noop_message, tools_reported, incomplete_count)
Sequence diagram for updated Metrics Collector workflow orchestrationsequenceDiagram
actor Scheduler
participant MetricsCollector as metrics_collector_workflow
participant PreActivationJob as pre_activation_job
participant ActivationJob as activation_job
participant AgentJob as agent_job
participant PushRepoMemoryJob as push_repo_memory_job
participant ArtifactStore as actions_artifacts
Scheduler->>MetricsCollector: trigger (cron 40 12 * * * or workflow_dispatch)
MetricsCollector->>PreActivationJob: start pre_activation job
PreActivationJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
PreActivationJob->>actions_github_script_v9: check_membership.cjs (GH_AW_REQUIRED_ROLES)
PreActivationJob-->>MetricsCollector: outputs(activated, setup-trace-id)
alt caller has required roles
MetricsCollector->>ActivationJob: start activation job (needs.pre_activation)
ActivationJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
ActivationJob->>actions_github_script_v9: generate_aw_info.cjs
ActivationJob->>actions_github_script_v9: validate_multi_secret.sh via run step
ActivationJob->>actions_checkout_v6: checkout .github and .agents
ActivationJob->>ActivationJob: create_prompt_first.sh (RUNNER_TEMP prompts)
ActivationJob->>ActivationJob: interpolate_prompt.cjs, substitute_placeholders.cjs
ActivationJob->>ActivationJob: validate_prompt_placeholders.sh, print_prompt_summary.sh
ActivationJob->>ArtifactStore: upload activation artifact (aw_info.json, prompt, rate_limits)
ActivationJob-->>MetricsCollector: outputs(model, secret_verification_result, setup-trace-id, lockdown_check_failed, stale_lock_file_failed)
MetricsCollector->>AgentJob: start agent job (needs.activation)
AgentJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
AgentJob->>actions_checkout_v6: checkout repository
AgentJob->>github_gh_aw_actions_setup: create_gh_aw_tmp_dir.sh, configure_gh_for_ghe.sh
AgentJob->>github_gh_aw_actions_setup: clone_repo_memory_branch.sh (repo-memory/default)
AgentJob->>actions_github_script_v9: determine_automatic_lockdown.cjs
AgentJob->>github_gh_aw_actions_setup: download_docker_images.sh (alpine, firewall, mcpg, github-mcp-server)
AgentJob->>Env: install gh-aw extension and copy gh-aw binary to RUNNER_TEMP
AgentJob->>actions_setup_node_v6_3_0: setup Node 24
AgentJob->>CodexCLI: npm install @openai/codex@0.118.0
AgentJob->>AWF_0_25_20: install_awf_binary v0.25.20
AgentJob->>MCPGateway: start_mcp_gateway.sh (agenticworkflows via gh-aw binary, github-mcp-server v0.32.0)
AgentJob->>ArtifactStore: download activation artifact
AgentJob->>AWF_0_25_20: sandboxed codex exec for metrics collector prompt
AWF_0_25_20->>CodexAPI: model gpt-5.1-codex-mini
AWF_0_25_20->>MCPGateway: tools (agenticworkflows, github)
AgentJob->>AgentJob: redact_secrets.cjs, parse_codex_log.cjs, parse_mcp_gateway_log.cjs, parse_token_usage.cjs
AgentJob->>ArtifactStore: upload repo-memory-default and agent artifacts
AgentJob-->>MetricsCollector: outputs(effective_tokens, model, checkout_pr_success, setup-trace-id)
MetricsCollector->>PushRepoMemoryJob: start push_repo_memory job (needs.activation, needs.agent)
PushRepoMemoryJob->>github_gh_aw_actions_setup: uses github/gh-aw-actions/setup@ba90f...
PushRepoMemoryJob->>actions_checkout_v6: checkout repository
PushRepoMemoryJob->>actions_download_artifact_v8: download repo-memory-default
PushRepoMemoryJob->>actions_github_script_v9: push_repo_memory.cjs (validate, commit, push memory/meta-orchestrators)
PushRepoMemoryJob->>GitHubRepoMemoryBranch: push updated metrics files
PushRepoMemoryJob-->>MetricsCollector: outputs(validation_failed_default, validation_error_default, patch_size_exceeded_default)
else caller lacks required roles
ActivationJob-->>MetricsCollector: skipped (activated == false)
AgentJob-->>MetricsCollector: skipped
PushRepoMemoryJob-->>MetricsCollector: skipped
end
File-Level Changes
Assessment against linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Welcome! 👋Thank you for your first contribution to this project! We appreciate you taking the time to improve our codebase. Next Steps
Contribution Guidelines
Thanks again for contributing! 🎉 |
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The cron schedules for
daily-repo-statusandmetrics-collectorhave changed (1:34 → 20:53and22:44 → 12:40); if that wasn’t intentional, it’s worth reverting to the previous run times before merging. - The new concurrency group for
push_repo_memory(push-repo-memory-${{ github.repository }}|memory/meta-orchestrators) changes how runs are serialized across the repo; please confirm this broader lock scope matches the desired behavior and won’t block unrelated memory pushes. - Several steps that previously relied on
/opt/gh-awnow reference${{ runner.temp }}/gh-aw; double‑check any out-of-band tooling or diagnostics that might still assume the old/optpath so they don’t silently break against these regenerated workflows.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The cron schedules for `daily-repo-status` and `metrics-collector` have changed (`1:34 → 20:53` and `22:44 → 12:40`); if that wasn’t intentional, it’s worth reverting to the previous run times before merging.
- The new concurrency group for `push_repo_memory` (`push-repo-memory-${{ github.repository }}|memory/meta-orchestrators`) changes how runs are serialized across the repo; please confirm this broader lock scope matches the desired behavior and won’t block unrelated memory pushes.
- Several steps that previously relied on `/opt/gh-aw` now reference `${{ runner.temp }}/gh-aw`; double‑check any out-of-band tooling or diagnostics that might still assume the old `/opt` path so they don’t silently break against these regenerated workflows.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b4d024b9b8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - activation | ||
| - agent | ||
| - detection | ||
| if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success' |
There was a problem hiding this comment.
Gate safe outputs on detection outcome, not job result
This if condition only checks needs.detection.result == 'success', which is the job exit status, not whether threat detection actually passed. In this same workflow, the detection parser runs with GH_AW_DETECTION_CONTINUE_ON_ERROR: "true" and emits detection_conclusion/detection_success, so detection can report findings while the job still ends green; in that case safe_outputs will still run and process/publish agent outputs that should have been blocked. Gate this job on needs.detection.outputs.detection_success == 'true' (or detection_conclusion == 'success') instead.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Code Review
This pull request updates the .github/aw/actions-lock.json file by adding entries for actions/github-script@v9 and github/gh-aw-actions/setup@v0.68.3. Feedback indicates that the old, stale version of the setup action should be removed to ensure consistency and prevent the accidental use of the broken path as intended by the PR description.
| "github/gh-aw-actions/setup@v0.68.3": { | ||
| "repo": "github/gh-aw-actions/setup", | ||
| "version": "v0.68.3", | ||
| "sha": "ba90f2186d7ad780ec640f364005fa24e797b360" | ||
| }, |
There was a problem hiding this comment.
The pull request description explicitly states that the new github/gh-aw-actions/setup@v0.68.3 entry replaces the stale github/gh-aw/actions/setup path, which was identified as the cause of a 'missing prompt-file failure'. However, the old entry (lines 18-22) has not been removed from the lock file. To ensure the fix is applied consistently across all workflows and to prevent the accidental use of the broken stale path, the old entry should be deleted if it is no longer required by any other components in the repository.
Summary
Closes #11.
Verification
gh aw compile daily-repo-status metrics-collector --no-emit --validate --no-check-update(0 errors, 2 safe-update warnings)bash scripts/validate-plugins.shgit diff --checkSecurity review
The gh-aw v0.68.3 compiler emitted safe-update warnings for restricted secrets
CODEX_API_KEYandOPENAI_API_KEY. I reviewed the regenerated locks: these secrets are used only by the Codex/OpenAI engine validation and agent execution paths generated by gh-aw, are excluded from the firewall environment where appropriate, and are included in redaction handling. The workflows already depended on Codex/OpenAI execution; this regeneration records that use in the new v3 lock manifest rather than adding an unrelated secret flow.The new generated action entry is
github/gh-aw-actions/setup@ba90f2186d7ad780ec640f364005fa24e797b360for v0.68.3, replacing the stalegithub/gh-aw/actions/setuppath that caused the missing prompt-file failure.Summary by Sourcery
Regenerate and modernize the Daily Repo Status and Metrics Collector GitHub Actions workflows using gh-aw v0.68.3, updating metadata, schedules, setup paths, and security/telemetry handling while keeping behavior aligned with the new agentic workflows framework.
Bug Fixes:
Enhancements:
CI: