Add replay workflow for gh-aw threat detection runs#28
Merged
Conversation
4 tasks
Agent-Logs-Url: https://github.com/github/gh-aw-threat-detection/sessions/1b230e22-c2bd-4536-a2cc-fe961a96d509 Co-authored-by: davidslater <12449447+davidslater@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add replay workflow for GitHub Actions threat detection runs
Add replay workflow for gh-aw threat detection runs
May 7, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a manual GitHub Actions workflow to replay threat-detect runs against artifacts from prior github/gh-aw workflow runs, enabling maintainers to reproduce and compare historical threat-detection results using different detector sources (current checkout, released binary, or container image).
Changes:
- Adds a new
Replay Threat Detectionworkflow_dispatchworkflow that downloads prior run artifacts, normalizes them into the detector input contract, runs the detector, and uploads sanitized replay outputs. - Expands README documentation for the artifact directory contract and documents replay workflow usage and required tokens.
Show a summary per file
| File | Description |
|---|---|
| README.md | Documents replay workflow usage and updates the artifacts directory contract to include replay-relevant files. |
| .github/workflows/replay-detection.yml | Implements a workflow_dispatch “replay” pipeline (download, normalize, run detector via current/release/image, sanitize, compare, upload). |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 3
Agent-Logs-Url: https://github.com/github/gh-aw-threat-detection/sessions/ce926e5b-1a97-4df8-b422-3bb760477528 Co-authored-by: davidslater <12449447+davidslater@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw-threat-detection/sessions/ce926e5b-1a97-4df8-b422-3bb760477528 Co-authored-by: davidslater <12449447+davidslater@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Copilot's findings
Comments suppressed due to low confidence (3)
.github/workflows/replay-detection.yml:440
- In image mode, the container is run as a non-root user (uid 1000 in the Dockerfile), but the bind-mounted
${REPLAY_OUTPUT}directory is created on the host and may not be writable by uid 1000. Consider running the container with the host UID/GID (or adjusting permissions) so--output /workspace/output/result.jsoncan be written reliably.
-e "CUSTOM_PROMPT=${CUSTOM_PROMPT}" \
-e "WORKFLOW_NAME=${WORKFLOW_NAME}" \
-e "WORKFLOW_DESCRIPTION=${WORKFLOW_DESCRIPTION}" \
-v "${REPLAY_INPUT}:/workspace/artifacts:ro" \
-v "${REPLAY_OUTPUT}:/workspace/output" \
.github/workflows/replay-detection.yml:438
- The docker replay path only passes
CUSTOM_PROMPT/WORKFLOW_*into the container. If image mode is intended to work with authenticated engines, it also needs to pass through the relevant engine auth env vars (e.g.,GH_AW_COPILOT_TOKEN/ANTHROPIC_API_KEY/OPENAI_API_KEY, or a token expected by the engine CLI). Otherwise the container run will fail or run unauthenticated.
docker run --rm \
-e "CUSTOM_PROMPT=${CUSTOM_PROMPT}" \
-e "WORKFLOW_NAME=${WORKFLOW_NAME}" \
-e "WORKFLOW_DESCRIPTION=${WORKFLOW_DESCRIPTION}" \
.github/workflows/replay-detection.yml:497
- Original result extraction assumes a raw
THREAT_DETECTION_RESULT:{...}line; it won’t successfully parse Claude’sstream-jsonoutput (the JSON will be escaped inside a JSON envelope). Since this workflow supportsengine=claude, consider extending this step to handle stream-json logs (e.g., parse each JSON line, read the.resultfield, then extract the prefix) so comparisons work for Claude runs too.
candidates = list(root.rglob('detection.log')) + list(root.rglob('*.log'))
marker = re.compile(r'THREAT_DETECTION_RESULT:(\{.*\})')
for path in candidates:
for line in path.read_text(errors='replace').splitlines():
match = marker.search(line)
- Files reviewed: 2/2 changed files
- Comments generated: 1
Agent-Logs-Url: https://github.com/github/gh-aw-threat-detection/sessions/f9ed69a8-34a4-46b8-bf07-c2766debb473 Co-authored-by: davidslater <12449447+davidslater@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw-threat-detection/sessions/e1d8a618-7392-4456-adab-772b752a7fb4 Co-authored-by: davidslater <12449447+davidslater@users.noreply.github.com>
Comment on lines
+118
to
+120
| GH_AW_COPILOT_TOKEN: ${{ secrets.GH_AW_COPILOT_TOKEN }} | ||
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | ||
| OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.