Skip to content

refactor: decouple safe-outputs checkout from event trigger context#30071

Open
Copilot wants to merge 4 commits intomainfrom
copilot/refactor-safe-outputs-processing
Open

refactor: decouple safe-outputs checkout from event trigger context#30071
Copilot wants to merge 4 commits intomainfrom
copilot/refactor-safe-outputs-processing

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 4, 2026
edited
Loading

Safe-outputs checkout was coupled to event-context GitHub Actions expressions (github.base_ref || github.event.pull_request.base.ref || ...), which silently fail for issue_comment events on PRs targeting non-default branches — checking out the default branch instead of the actual PR base.

Changes

Frontend — safe output entries become self-describing (safe_outputs_handlers.cjs)

  • Both createPullRequestHandler and pushToPullRequestBranchHandler now store entry.base_branch = baseBranch after resolving via getBaseBranch(). getBaseBranch() already makes GitHub API calls for issue_comment events to get the correct PR base branch; the fix just persists that resolved value into the payload.

Backend — new extraction step before checkout (compiler_safe_outputs_steps.go, compiler_safe_outputs_job.go)

  • Added buildExtractBaseBranchStep(): a shell step inserted between patch download and Checkout repository that reads base_branch from the downloaded agent_output.json and writes it to GITHUB_OUTPUT as base-branch (with branch-name character validation).
  • Updated both checkout ref expressions to lead with the extracted value: 
    ref: ${{ steps.extract-base-branch.outputs.base-branch || github.base_ref || github.event.pull_request.base.ref || github.ref_name || github.event.repository.default_branch }}
    Event-context fallbacks remain for backward compatibility with older agent outputs.
  • Removed the TODO: @dsyme says: We must remove this comment and the LIMITATION note — the architectural debt is resolved.

Tests

  • TestBuildExtractBaseBranchStep — new unit test for the extraction step
  • TestStepOrderInConsolidatedJob — updated to assert extract-base-branch runs before Checkout repository
  • Checkout ref assertions updated across compiler_safe_outputs_steps_test.go
  • JS handler tests verify base_branch is written into safe output entries (both create_pull_request and push_to_pull_request_branch)
  • 48 .lock.yml files recompiled

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name ortcfg.link GOINSECURE GOMOD GOMODCACHE KccABM5KLdbQdqncnJ/nPDBSfYPxXWId-nF379U/c1ozV8TA--json env e_all)' || 'round-robin' GO111MODULE sv GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw util GOMODCACHE go env t_NmpAeXU GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go sRem�� -json GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name /tmp/go-build227GOINSECURE -trimpath 64/bin/go -d github.com/githu-o -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name ithub-script/git/ref/tags/v9 node (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 bash sv --noprofile GOPROXY /usr/bin/git git rev-�� ithub-script/git/ref/tags/v9 git bject.type] | @tsv /tmp/gh-aw-test-gh show 1/x64/bin/node git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 e/git sv xterm-color git /usr/local/sbin/--show-toplevel git rev-�� ithub-script/git/ref/tags/v9 bash bject.type] | @tsv 849633340/001 git /opt/hostedtoolc/repos/actions/github-script/git/ref/tags/v9 git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv 'prefix' && github.actor go er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl--show-toplevel -json GO111MODULE 64/bin/go git conf�� user.name Test User /usr/bin/git -json GO111MODULE 64/bin/go /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv xterm-color git /usr/bin/git report.md config sv git rev-�� ithub-script/git/ref/tags/v9 gh bject.type] | @tsv 45/001/test-compgit --jq bject.type] | @t--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go t-ha�� ithub/workflows/ai-moderator.md GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.8/x^remote\..*\.gh-resolved$ (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 infocmp bject.type] | @tsv BHBh/Mm0ui0x2Iv4git -3lxG0HoYBiF /opt/hostedtoolc--show-toplevel git rev-�� ithub-script/git/ref/tags/v9 node bject.type] | @tsv /tmp/TestHashCongit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/gh --show-toplevel go /usr/bin/git gh api /repos/actions/github-script/git/ref/tags/v9 --jq /opt/hostedtoolcache/go/1.25.8/x64/bin/node --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git node (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv sistency_WithImports1468207083/001/main.md -extld=gcc /usr/bin/infocmp 6450333/b365/embgit GOPROXY 64/bin/go infocmp -1 xterm-color /opt/hostedtoolcGO111MODULE ache/node/24.14.1/x64/bin/node /tmp/go-build227git -trimpath 64/bin/go ache/node/24.14.1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJa-f go /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp -1 s/test.md go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/go-build1673387481/b466/typeutil.test -importcfg /usr/bin/git -s -w -buildmode=exe git conf�� user.email test@example.com (http block)
  • https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/gh git rev-�� --show-toplevel gh /usr/bin/git ithub-script/gitgh --jq bject.type] | @t/repos/actions/github-script/git/ref/tags/v9 git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� ithub/workflows git /usr/bin/git --show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git /home/REDACTED/worgit go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /ref/tags/v9 resolved$ sv git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 /opt/hostedtoolcache/node/24.14.1/x64/bin/node sv github.actor == git git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --get remote.origin.urrev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv GOSUMDB GOWORK 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c "prettier" --cheGOINSECURE go 64/bin/go tierignore GO111MODULE 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv prettier --check 64/bin/go **/*.ts **/*.json --ignore-path git -c log.showsignaturGOINSECURE log 64/bin/go -d --format=format:-atomic --end-of-options-bool go (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv GOSUMDB GOWORK 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c "prettier" --cheGOINSECURE go 64/bin/go tierignore GO111MODULE 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� --check scripts/**/*.js 64/bin/go -d GO111MODULE 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/pkGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcGO111MODULE -o /tmp/go-build227GOINSECURE -trimpath 64/bin/go -d main -lang=go1.25 go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git SameOutput416266gh GO111MODULE e/git-upload-pac/repos/actions/github-script/git/ref/tags/v9 git rev-�� --show-toplevel go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv runs/20260504-054104-51840/test-3178515134 git /usr/bin/docker l config flow.test docker pull�� test/concurrent-image:v1.0.0 flow.test (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/architecture-gua.artifacts[].name go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv xterm-color go /usr/bin/git -json (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 git bject.type] | @tsv ithub-script/gitgit config ps git rev-�� /ref/tags/v9 ps sv git remote.origin.ur-1 /usr/bin/infocmpxterm-color git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --show-toplevel -tests /usr/bin/infocmp k/gh-aw/gh-aw/pkinfocmp GOPROXY 64/bin/go infocmp -1 xterm-color /opt/hostedtoolcGO111MODULE ache/node/24.14.1/x64/bin/node 1/x64/bin/git go layTitle ache/node/24.14.1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv r-test2252247846/test1.md r-test2252247846/test2.lock.yml /opt/hostedtoolcache/node/24.14.1/x64/bin/node -p main -lang=go1.25 node /tmp�� /tmp/TestHashStability_SameInputSameOutput4162666994/001/stability-test.md -dwarf=false /usr/bin/git template-expressgit -c=4 -nolocalimports git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv waysRecompiles3853729190/001 go /usr/bin/git iant-916868654/.git GO111MODULE 64/bin/go git remo�� GOMODCACHE aZfPHtRi8CIm /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go ache/node/24.14.1/x64/bin/node -json s $k => $v) echorev-parse 64/bin/go ache/node/24.14.1/x64/bin/node -151�� github.event.issue.number go /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9.0.0--workflow --jq repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } /ref/tags/v9 rev-parse sv git rev-�� --show-toplevel git /usr/bin/git ithub/workflows rev-parse (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 git sv --show-toplevel x_amd64/vet /usr/bin/git infocmp -1 xterm-color git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv xterm-color git /usr/bin/git --show-toplevel git (http block)
  • https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 1/x64/bin/node /usr/bin/git y remote /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-gh l /opt/hostedtoolcstatus git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel YL/z_ixyLp_tzY6qSkYTSwY/DlsLd191vQ4VuLGX7nUb /usr/bin/git /tmp/TestHashCongh go b8bf4c10dd21f3c7/repos/actions/github-script/git/ref/tags/v9 git rev-�� /ref/tags/v9 git sv GOMODCACHE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git sv gh (http block)
  • https://api.github.com/repos/azure/login/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/TestGuardPogit rev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x--jq /usr/bin/gh mpleWorkflow3472infocmp -importcfg /usr/bin/git gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel infocmp /usr/bin/git git rev-�� --show-toplevel git /usr/bin/gh /tmp/TestGuardPoinfocmp config /usr/bin/git gh (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 node bject.type] | @tsv /tmp/TestHashCongit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 git bject.type] | @tsv --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp --show-toplevel bash /usr/bin/infocmpxterm-color infocmp (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv xterm-color git repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } ithub-script/git/usr/bin/gh sionclean bject.type] | @tgraphql git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/gh git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq ock.yml --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel infocmp /usr/bin/gh git (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ithub-script/gitgit git bject.type] | @t/home/REDACTED/work/gh-aw/gh-aw git rev-�� /ref/tags/v9 git sv ithub-script/gitgit git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/gitremote.origin.url --jq /usr/bin/git /ref/tags/v9 git sv git rev-�� --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch /ref/tags/v9 infocmp sv xterm-color git /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq r: $owner, name: $name) { hasDiscussionsEnabled } } /repos/actions/ggit --jq /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git st-3291581836 GO111MODULE flow.lock.yml git rev-�� --show-toplevel e/git /usr/bin/git FieldEnforcementinfocmp GO111MODULE /opt/hostedtoolcxterm-color git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel /usr/bin/gh /usr/bin/gh 4104-51840/test-gh -f /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git 4104-51840/test-infocmp (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git Gitmaster_branchgit Gitmaster_branchrev-parse 64/bin/go git comm�� -m resolved$ /usr/bin/git ub/workflows GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 --jq sv iant-1415910179/git git sv git remo�� DiscussionsEnabl/repos/actions/github-script/git/ref/tags/v9 infocmp /usr/bin/gh ithub/workflows mkdir (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/git Gitmain_branch66git Gitmain_branch66rev-parse 64/bin/go git init�� GOMODCACHE resolved$ /usr/bin/git b/workflows GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv xterm-color l /usr/bin/git k/gh-aw/gh-aw/.ggit show /usr/bin/git git conf�� --get remote.origin.url /usr/bin/infocmp k/gh-aw/gh-aw/.ggit show .lock.yml infocmp (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-27 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-04 GOMOD GOMODCACHE go itma�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-02-03 GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 99549434/.github/workflows GO111MODULE k GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name -f cfg -f owner=github -f docker imag�� inspect ghcr.io/github/serena-mcp-server:latest ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --show-toplevel git 64/pkg/tool/linu--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link env 1643584872 GO111MODULE ortcfg.link GOINSECURE GOMOD GOMODCACHE 3JL8ddMPoqaiAM618n/W7nDXlF-2wrJGTest User (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE ache/go/1.25.8/x--created GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name git cfg l git r: $owner, name:--show-toplevel git -C /home/REDACTED/work/gh-aw/gh-aw show ache/go/1.25.8/x64/pkg/tool/linux_amd64/link /ref/tags/v9 git ml ache/go/1.25.8/x64/pkg/tool/linuTest User (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
    • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, 2499781/001' 2499781/001' 64/bin/go -p github.com/githu-atomic -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, k/gh-aw/gh-aw/.github/workflows node /home/REDACTED/.local/bin/bash l --package-lock-o-V=full /usr/bin/gh bash --no�� /ref/tags/v9 gh sv /ref/tags/v9 --jq sv git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name --jq cfg --show-toplevel git $name) { has--show-toplevel git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet remote.origin.urgh git /usr/bin/git ache/go/1.25.8/x--jq (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE 06/m1mI9m8ZybBw5VAsfaec/Pi1C9UClrev-parse env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env lP6o7YQkm GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name git 295a2b5277eba59fc7e0e91f1ce238d167c48eed01033184d580de28aa73216f-d --show-toplevel gh r: $owner, name:xterm-color git -C /ref/tags/v9 show sv --show-toplevel git r: $owner, name:--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 99549434/.github/workflows GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name efaultBranchFrom100 cfg /ref/tags/v9 infocmp r: $owner, name:--show-toplevel git -C 4104-51840/test-820648011/.github/workflows s/ab-testing-advisor.lock.yml ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet s/agent-performagit s/agent-persona-rev-parse s/ai-moderator.l--show-toplevel ache/go/1.25.8/x64/pkg/tool/linustatus (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE eutil.test GOINSECURE GOMOD GOMODCACHE eutil.test 6733�� 2870138299 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name sRemoteWithRealGitmain_branch3663279646/002/work cfg remote.origin.urgit gh ml infocmp -1 4104-51840/test-820648011/.github/workflows git ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --show-toplevel git repository(owne--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2870138299 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 99549434/.github/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE erutil GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name e-checker.lock.yowner=github cfg l owner=github -f git -C 4104-51840/test-820648011/.github/workflows config ache/go/1.25.8/x64/pkg/tool/linux_amd64/link remote.origin.urgit git 64/pkg/tool/linu--show-toplevel ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path /tmp/go-build227GOINSECURE -trimpath 64/bin/go -d github.com/githu-atomic -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go ch_w�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build1673387481/b404/cli.test /tmp/go-build1673387481/b404/cli.test -test.testlogfile=/tmp/go-build1673387481/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-json go (http block)
    • Triggering command: /tmp/go-build769961279/b404/cli.test /tmp/go-build769961279/b404/cli.test -test.testlogfile=/tmp/go-build769961279/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --show-toplevel infocmp /usr/bin/git git rev-�� k/gh-aw/gh-aw git kflows/blog-auditor.lock.yml --show-toplevel git /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv efaultBranchFromLsRemoteWithRealGitmaster_branch32570542/001' efaultBranchFromLsRemoteWithRealGitmaster_branch32570542/001' 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE eutil GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env adata/main.go GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE C-2vq9b/uslwpgUz-extld=gcc (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 -f (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ub/workflows GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ub/workflows GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw config k.yml remote.origin.urgit git (http block)
  • https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git ts.result remote /usr/bin/infocmp--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/git xterm-color (http block)
    • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel /usr/bin/git /usr/bin/git -v gh /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel bash /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv go t.go 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go hash�� vaScript166218363/001/test-empty-frontmatter.md GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv ithub/workflows git r.lock.yml /ref/tags/v9 git sv infocmp -1 Gitmaster_branch2323833191/001' Gitmaster_branch2323833191/001' ustering-analysis.lock.yml /ref/tags/v9 main sv gh (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env /ref/tags/v9 GO111MODULE sv GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel git r: $owner, name:--show-toplevel infocmp -has�� ithub/workflows/archie.md git (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -p github.com/githu-atomic -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -d main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state ache/go/1.25.8/x64/bin/go GOINSECURE er GOMODCACHE go env _6utcoo9l GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ortcfg (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build1673387481/b437/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil_test.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ithub/workflows node repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } ster.patch --package-lock-obuild /usr/bin/git git rev-�� --show-toplevel git t-repair.lock.yml /ref/tags/v9 git sv infocmp (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 4/001/noflag-a.md GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go env 3847-34970/test-1186733358/.githremote.origin.url GO111MODULE 3387481/b070/gh-aw.test GOINSECURE GOMOD GOMODCACHE 3387481/b070/gh-aw.test (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch licyTrustedUsersCompiledOutput2581492726/001 git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue May 4, 2026 that may be closed by this pull request
refactor: decouple safe-outputs processing from event trigger context #30066
Open
4 tasks
Copilot AI and others added 2 commits May 4, 2026 05:30
@gh-aw-bot
plan: decouple safe-outputs processing from event trigger context
8e240fd 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/21b6e841-fb5f-4dde-a8ca-d6e38a4d8402

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
@gh-aw-bot
refactor: decouple safe-outputs processing from event trigger context
5585927 
Store resolved base_branch in safe output entries (frontend) and extract
it in a new 'extract-base-branch' step before checkout (backend), removing
the tight coupling to event-context GitHub Actions expressions.

This fixes the known limitation for issue_comment events on PRs targeting
non-default branches, where the checkout step would fall back to the default
branch instead of the PR's actual base branch.

Changes:
- safe_outputs_handlers.cjs: store entry.base_branch for create_pull_request
  and push_to_pull_request_branch handlers
- compiler_safe_outputs_steps.go: add buildExtractBaseBranchStep() function;
  update checkout ref expressions to prefer steps.extract-base-branch.outputs.base-branch;
  remove TODO comment and LIMITATION note
- compiler_safe_outputs_job.go: insert extract-base-branch step between patch
  download and checkout in buildSafeOutputsSetupAndDownloadSteps
- Tests: update step order test, add TestBuildExtractBaseBranchStep, add JS
  tests verifying base_branch is stored in safe output entries
- Recompile 48 lock files to reflect updated checkout ref expression

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/21b6e841-fb5f-4dde-a8ca-d6e38a4d8402

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Copilot AI changed the title [WIP] Refactor safe outputs processing to decouple from event trigger context refactor: decouple safe-outputs checkout from event trigger context May 4, 2026
Copilot AI requested a review from gh-aw-bot May 4, 2026 05:47
This was referenced May 4, 2026
Open
Open
@pelikhan pelikhan marked this pull request as ready for review May 4, 2026 13:53
Copilot AI review requested due to automatic review settings May 4, 2026 13:53
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors safe-outputs PR checkout to use a self-describing base_branch embedded in the agent output, instead of inferring the base branch from event-context expressions that can be wrong for issue_comment events on non-default-branch PRs.

Changes:

  • Persist resolved base_branch into safe output entries for create_pull_request and push_to_pull_request_branch (JS setup action).
  • Add an “extract base branch” step in the consolidated safe-outputs job and update checkout ref expressions to prefer the extracted value.
  • Update Go/JS tests and recompile affected .lock.yml workflows; extend action pin data for major-tag aliases.
Show a summary per file
File Description
pkg/workflow/data/action_pins.json Adds pinned SHAs for major-tag aliases used by generated workflows.
pkg/actionpins/data/action_pins.json Mirrors action pin updates for action pinning subsystem.
pkg/workflow/compiler_safe_outputs_steps.go Adds extract-base-branch step generator and updates checkout ref fallback order.
pkg/workflow/compiler_safe_outputs_job.go Inserts the extraction step before checkout in consolidated safe-outputs job.
pkg/workflow/compiler_safe_outputs_steps_test.go Adds unit test for extraction step and updates checkout/ref expectations + step ordering assertions.
actions/setup/js/safe_outputs_handlers.cjs Writes resolved base_branch into PR-related safe output entries.
actions/setup/js/safe_outputs_handlers.test.cjs Adds test assertions that base_branch is persisted into safe output entries.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/weekly-editors-health-check.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/weekly-blog-post-writer.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/update-astro.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/unbloat-docs.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/ubuntu-image-analyzer.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/tidy.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/test-create-pr-error-handling.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/technical-doc-writer.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/spec-extractor.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/spec-enforcer.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/smoke-update-cross-repo-pr.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/smoke-project.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/smoke-multi-pr.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/smoke-create-cross-repo-pr.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/slide-deck-maintainer.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/schema-feature-coverage.lock.yml Recompiled lockfile to include extraction step and updated checkout ref (plus unrelated heredoc delimiter churn from recompilation).
.github/workflows/refiner.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/q.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/mergefest.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/layout-spec-maintainer.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/jsweep.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/instructions-janitor.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/hourly-ci-cleaner.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/go-logger.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/glossary-maintainer.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/github-mcp-tools-report.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/functional-pragmatist.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/dictation-prompt.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/developer-docs-consolidator.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/design-decision-gate.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/dependabot-repair.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/dead-code-remover.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/daily-workflow-updater.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/daily-safe-output-integrator.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/daily-rendering-scripts-verifier.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/daily-doc-updater.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/daily-doc-healer.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/daily-community-attribution.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/daily-caveman-optimizer.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/daily-architecture-diagram.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/craft.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/code-simplifier.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/code-scanning-fixer.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/cloclo.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/ci-coach.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.
.github/workflows/changeset.lock.yml Recompiled lockfile to include extraction step and updated checkout ref.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 55/55 changed files
  • Comments generated: 1

Comment thread pkg/workflow/compiler_safe_outputs_steps.go
Comment on lines +24 to +41
" - name: Extract base branch from agent output\n",
" id: extract-base-branch\n",
" if: steps.download-agent-output.outcome == 'success'\n",
" run: |\n",
" if [ -f \"/tmp/gh-aw/agent_output.json\" ]; then\n",
" BASE_BRANCH=$(node -e \"\n",
" try {\n",
" const data = JSON.parse(require('fs').readFileSync('/tmp/gh-aw/agent_output.json', 'utf8'));\n",
" const item = (data.items || []).find(i =>\n",
" (i.type === 'create_pull_request' || i.type === 'push_to_pull_request_branch') &&\n",
" i.base_branch\n",
" );\n",
" if (item) process.stdout.write(item.base_branch);\n",
" } catch(e) {}\n",
" \" 2>/dev/null || true)\n",
" # Validate: only allow safe git branch name characters\n",
" if [[ \"$BASE_BRANCH\" =~ ^[a-zA-Z0-9/_.-]+$ ]] && [ ${#BASE_BRANCH} -le 255 ]; then\n",
" printf 'base-branch=%s\\n' \"$BASE_BRANCH\" >> \"$GITHUB_OUTPUT\"\n",
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 73/100

⚠️ Acceptable — with suggestions

Metric Value
New/modified tests analyzed 6
✅ Design tests (behavioral contracts) 5 (83%)
⚠️ Implementation tests (low value) 1 (17%)
Tests with error/edge cases 6 (100%)
Duplicate test clusters 0
Test inflation detected ⚠️ YES — safe_outputs_handlers.test.cjs (+103 lines) vs safe_outputs_handlers.cjs (+12 lines), ratio ~8.6:1
🚨 Coding-guideline violations 1 — missing assertion messages in TestBuildExtractBaseBranchStep

Test Classification Details

View All Test Classifications (6 tests)
Test File Classification Issues Detected
should store resolved base_branch in safe output entry (allow-empty mode) actions/setup/js/safe_outputs_handlers.test.cjs ✅ Design None — verifies config override propagates correctly
should store GITHUB_BASE_REF as base_branch when no config override (allow-empty mode) actions/setup/js/safe_outputs_handlers.test.cjs ✅ Design None — verifies env-var fallback behavior
should store resolved base_branch in the safe output entry (push handler) actions/setup/js/safe_outputs_handlers.test.cjs ✅ Design ⚠️ Conditional assertion — if mockAppendSafeOutput is not called (git fails in CI), only expect(result).toBeDefined() runs, silently skipping the key behavioral check
TestBuildSharedPRCheckoutSteps (modified rows) pkg/workflow/compiler_safe_outputs_steps_test.go ✅ Design None — updates expected ref: expressions to include new steps.extract-base-branch.outputs.base-branch prefix
TestStepOrderInConsolidatedJob (modified) pkg/workflow/compiler_safe_outputs_steps_test.go ✅ Design None — asserts new step appears in correct position in step sequence
TestBuildExtractBaseBranchStep (new) pkg/workflow/compiler_safe_outputs_steps_test.go ⚠️ Implementation Checks internal YAML string content of a private function; missing descriptive assertion messages

Flagged Tests — Requires Review

⚠️ should store resolved base_branch in the safe output entry (push handler) (actions/setup/js/safe_outputs_handlers.test.cjs)

Classification: Design test with a conditional escape hatch
Issue: The key behavioral assertion (mockAppendSafeOutput called with base_branch) is wrapped in if (mockAppendSafeOutput.mock.calls.length > 0). In CI, if the git subprocess fails to commit (no git identity, restricted filesystem, etc.), the test exits via the else branch — expect(result).toBeDefined() — and passes without asserting anything about base_branch.
What would break if deleted? A regression where base_branch is not stored in the push-handler's safe output would not be reliably caught.
Suggested improvement: Either make the git setup more robust (use a proper temp directory with beforeAll/afterAll lifecycle hooks and ensure git config runs deterministically), or split into two tests: one for the happy path with a real git repo and one that stubs appendSafeOutput directly.

⚠️ TestBuildExtractBaseBranchStep (pkg/workflow/compiler_safe_outputs_steps_test.go:550)

Classification: Implementation test
Issue 1 — implementation coupling: Tests assert on specific string fragments inside the generated YAML (step name, ID, hardcoded file path /tmp/gh-aw/agent_output.json, env variable GITHUB_OUTPUT). These will break on any rename or path change even if the step's observable behavior is unchanged.
Issue 2 — missing assertion messages (guideline violation): All 9 assert.Contains calls lack a descriptive message argument, e.g. assert.Contains(t, stepsContent, "id: extract-base-branch") should be assert.Contains(t, stepsContent, "id: extract-base-branch", "extract-base-branch step must have correct ID").
What would break if deleted? Only the internal implementation structure. A behavioral regression (wrong branch extracted, security regex removed) would also be caught by TestBuildSharedPRCheckoutSteps and TestStepOrderInConsolidatedJob.
Suggested improvement: (1) Add descriptive messages to every assert.Contains call. (2) Consider moving the security regex check into a dedicated TestExtractBaseBranchSecurity test that explicitly documents the invariant being enforced.

Language Support

Tests analyzed:

  • 🐹 Go (*_test.go): 3 test functions (TestBuildSharedPRCheckoutSteps, TestStepOrderInConsolidatedJob, TestBuildExtractBaseBranchStep) — unit (//go:build !integration) ✅ build tag present
  • 🟨 JavaScript (*.test.cjs): 3 new tests in safe_outputs_handlers.test.cjs (vitest)

Verdict

Check passed. 17% of new tests are implementation tests (threshold: 30%). However, one guideline violation (missing assertion messages in TestBuildExtractBaseBranchStep) and a fragile conditional assertion in the push-handler JS test are worth addressing before merge.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

  • Assert on observable outputs, return values, or state changes
  • Cover error paths and boundary conditions
  • Would catch a behavioral regression if deleted
  • Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

  • Assert on internal function calls or internal string content
  • Only test the happy path with typical inputs
  • Break during legitimate refactoring even when behavior is correct
  • Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §25323006116

🧪 Test quality analysis by Test Quality Sentinel · ● 728.9K ·

github-actions[bot]
github-actions Bot approved these changes May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test Quality Sentinel: 73/100. Test quality is acceptable - 17% of new tests are implementation tests (threshold: 30%). Two items worth addressing before merge: (1) missing assertion messages in TestBuildExtractBaseBranchStep, (2) fragile conditional assertion in the push-handler JS test.

@github-actions @claude
docs(adr): add draft ADR-30071 for decoupling safe-outputs base branc…
22526ad 
…h from event context

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Commit pushed: 22526ad

🏗️ ADR gate enforced by Design Decision Gate 🏗️

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (116 new lines in business-logic directories) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/30071-decouple-safe-outputs-base-branch-from-event-context.md

What to do next

  1. Review the draft ADR committed to your branch — it was generated from the PR diff and PR body description
  2. Complete the missing sections — add context the AI couldn't infer, refine the decision rationale, and list real alternatives you considered
  3. Commit the finalized ADR to docs/adr/ on your branch
  4. Reference the ADR in this PR body by adding a line such as:

    ADR: ADR-30071: Decouple Safe-Outputs Base Branch from GitHub Actions Event Context

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

📋 Draft ADR Summary

Decision captured: Store the API-resolved base_branch in the safe-output entry payload and add a dedicated extract-base-branch shell step before checkout in all compiled workflows. The checkout ref leads with the extracted value and falls back to event-context expressions for backward compatibility.

Why this matters: The previous approach of relying solely on github.base_ref || github.event.pull_request.base.ref silently resolves to the default branch for issue_comment events — causing checkouts to the wrong base on PRs targeting non-default branches.

Alternatives documented: (1) Extending the event-context fallback chain — rejected because issue_comment events do not expose PR base branch in any expression; (2) Fetching base branch in a separate workflow API step — rejected as redundant since the agent already resolves it.

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

  • Context — What is the problem? What forces are at play?
  • Decision — What did you decide? Why?
  • Alternatives Considered — What else could have been done?
  • Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 30071-decouple-safe-outputs-base-branch-from-event-context.md for PR #30071).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §25323006144

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 139.6K ·

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

@gh-aw-bot gh-aw-bot Awaiting requested review from gh-aw-bot

Assignees

Copilot code review Copilot

@gh-aw-bot gh-aw-bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

refactor: decouple safe-outputs processing from event trigger context

3 participants

@gh-aw-bot