Skip to content

[aw-compat] Tag-scoped on.push.tags false-flagged as unscoped push (breaks first-party gh-aw-mcpg/release.md) #45247

Description

@github-actions

Summary

Today's cross-repo compilation audit (gh-aw 4e61268, 20 lock-file adopters by stars) surfaced a new validator false positive: a push trigger scoped by tags (on.push.tags) is incorrectly rejected as an "unscoped push," demanding a branches/branches-ignore filter. Tag-triggered release workflows are a standard pattern and never fire on branch pushes, so the fan-out rationale does not apply.

This breaks a first-party workflow: github/gh-aw-mcpg.github/workflows/release.md fails to compile (non-strict and strict). gh aw fix --write does not remediate it.

Root cause

ValidatePushBranchScope in pkg/workflow/compiler_filters_validation.go (~L96–136) accepts only branches and branches-ignore as valid push scoping. It ignores tags / tags-ignore (and paths / paths-ignore), so any push scoped solely by tags is treated as unscoped:

_, hasBranches := pushMap["branches"]
_, hasBranchesIgnore := pushMap["branches-ignore"]
if !hasBranches && !hasBranchesIgnore {
    return newUnScopedPushError()
}

Note the inconsistency: the sibling filter-pattern validator already understands tags/tags-ignore as first-class push filters, but the scope check does not.

Minimal reproduction

---
name: Tag Push Repro
on:
  push:
    tags:
      - 'v*.*.*'
permissions:
  contents: read
engine: copilot
---
# Test

gh aw compile

Validation failed for field 'on.push'
Value: push (no branch filter)
Reason: push event must specify a 'branches' or 'branches-ignore' filter ...

Control: replacing tags: with branches: [main] compiles clean (0 errors).

Suggested fix

In ValidatePushBranchScope, treat a push as scoped when any of branches, branches-ignore, tags, tags-ignore (and arguably paths / paths-ignore) is present. A tag-scoped push cannot fan out across feature branches, so it should pass without a branches filter. Add a regression test alongside push_branch_scope_test.go covering on.push.tags.

Run context

20-repo audit results
  • Clean or self-healed by gh aw fix: 15 (2 healed: githubnext/agentics-template, pelikhan/github-agentic-workflows).
  • Strict-forced-only false positives (compile clean without --strict): github/gh-aw-firewall (sandbox.mcp.version), elastic/ai-github-actions (sandbox.agent:false).
  • Genuine failures: 3
    • github/gh-aw-mcpg — tag-scoped push bug (this issue).
    • githubnext/gh-aw-test — object-form restore-memory vendor fixture — already tracked by #44542.
    • ms-mfg-community/day-in-the-life-copilot-lab — add-pr-commentadd-comment#43995 closed NOT_PLANNED (user-side rename).

Discovery: code-search endpoint HTTP 429 (persistent); repo-search verified no new adopters; cached adopter pool re-verified public + non-archived.

Representative repository

  • github/gh-aw-mcpg.github/workflows/release.md (on.push.tags: ['v*.*.*'])

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • models.dev

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "models.dev"

See Network Configuration for more information.

Generated by 🔧 Daily AW Cross-Repo Compile Check · 223.9 AIC · ⌖ 37.7 AIC · ⊞ 6.7K ·

  • expires on Jul 20, 2026, 2:06 AM UTC-08:00

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions