fix(cache-memory): ensure detection always runs on safe outputs, including noop/boop#40882
Merged
Merged
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…low heartbeat and expiration checks Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix cache miss in Documentation Unbloat
fix(cache-memory): update_cache_memory saves on noop runs by accepting skipped detection
Jun 22, 2026
Collaborator
|
@copilot detection must ALWAYS be run on safe outputs, including boop. |
Copilot stopped work on behalf of
pelikhan due to an error
June 22, 2026 23:16
Collaborator
|
@copilot detection must ALWAYS be run on safe outputs, including boop. |
…ypes Detection now runs whenever the agent job was not skipped, even when the agent calls noop/boop (which produces no output_types or patches). The detection_guard step inside the job handles the no-output case by setting run_detection=false, and detection_conclusion short-circuits with conclusion=skipped/success=true, so needs.detection.result == 'success' is always set for downstream jobs (update_cache_memory, safe_outputs). This reverts the update_cache_memory condition back to requiring detection success only (not accepting skipped), since detection will now always produce a success result when the agent ran. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Fixed in the latest commit. The detection job's The |
Copilot
AI
changed the title
fix(cache-memory): update_cache_memory saves on noop runs by accepting skipped detection
fix(cache-memory): ensure detection always runs on safe outputs, including noop/boop
Jun 23, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the gh-aw compiler and generated workflows so the threat-detection job is no longer skipped on “no safe outputs” runs (e.g. noop/boop), ensuring downstream cache-memory refresh (update_cache_memory) continues to run and doesn’t let cache state go cold after work has been completed.
Changes:
- Compiler: remove the “hasContent” (
output_types != '' || has_patch == 'true') gate from the detection job’s job-levelif:so detection runs whenever the agent ran (not skipped). - Tests/docs/workflows: update expectations and regenerate
.lock.ymloutputs; add a cache-memory heartbeat + staleness reset logic to the Documentation Unbloat workflow.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/threat_detection.go | Removes job-level content gating for detection job execution. |
| pkg/workflow/threat_detection_test.go | Updates test assertions so detection if: no longer mentions output_types/has_patch. |
| pkg/workflow/compiler_jobs_test.go | Updates test documentation comment to reflect detection always running when agent ran. |
| pkg/workflow/cache.go | Adds explanatory comment about relying on needs.detection.result == 'success' for noop runs. |
| .github/workflows/unbloat-docs.md | Adds cache-memory heartbeat file and 14-day staleness reset for cleaned history. |
| .github/workflows/unbloat-docs.lock.yml | Regenerated compiled workflow reflecting unbloat-docs.md changes + detection gating changes. |
| .github/workflows/workflow-skill-extractor.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/workflow-normalizer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/workflow-health-manager.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/workflow-generator.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/weekly-safe-outputs-spec-review.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/weekly-issue-summary.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/weekly-editors-health-check.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/weekly-blog-post-writer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/visual-regression-checker.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/video-analyzer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/update-astro.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/uk-ai-operational-resilience.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/ubuntu-image-analyzer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/typist.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/tidy.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/test-quality-sentinel.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/test-project-url-default.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/test-dispatcher.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/test-create-pr-error-handling.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/terminal-stylist.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/technical-doc-writer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/super-linter.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/sub-issue-closer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/step-name-alignment.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/static-analysis-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/stale-repo-identifier.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/stale-pr-cleanup.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/spec-librarian.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/spec-extractor.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/spec-enforcer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-workflow-call.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-workflow-call-with-inputs.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-update-cross-repo-pr.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-test-tools.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-temporary-id.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-service-ports.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-project.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-pi.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-otel-backends.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-opencode.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-multi-pr.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-gemini.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-crush.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-create-cross-repo-pr.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-copilot.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-copilot-sdk.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-copilot-arm.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-copilot-aoai-entra.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-copilot-aoai-apikey.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-codex.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-claude.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-call-workflow.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-antigravity.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-agent-scoped-approved.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-agent-scoped-approved.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-agent-public-none.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-agent-public-approved.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-agent-all-none.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/smoke-agent-all-merged.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/slide-deck-maintainer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/skillet.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/sergo.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/semantic-function-refactor.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/security-review.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/security-compliance.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/scout.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/schema-feature-coverage.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/schema-consistency-checker.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/safe-output-health.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/ruflo-backed-task.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/research.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/repository-quality-improver.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/repo-tree-map.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/repo-audit-analyzer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/refiner.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/refactoring-cadence.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/q.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/python-data-charts.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/prompt-clustering-analysis.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/pr-triage-agent.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/pr-sous-chef.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/pr-nitpick-reviewer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/pr-description-caveman.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/pr-code-quality-reviewer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/portfolio-analyst.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/poem-bot.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/plan.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/pdf-summary.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/outcome-collector.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/org-health-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/objective-impact-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/notion-issue-summary.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/necromancer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/metrics-collector.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/mergefest.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/mcp-inspector.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/mattpocock-skills-reviewer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/lockfile-stats.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/linter-miner.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/lint-monster.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/layout-spec-maintainer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/jsweep.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/issue-triage-agent.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/issue-monster.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/issue-arborist.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/instructions-janitor.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/hourly-ci-cleaner.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/grumpy-reviewer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/gpclean.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/go-pattern-detector.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/go-logger.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/go-fan.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/glossary-maintainer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/github-mcp-tools-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/github-mcp-structural-analysis.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/functional-pragmatist.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/firewall-escape.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/example-workflow-analyzer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/example-failure-category-filter.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/duplicate-code-detector.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/draft-pr-cleanup.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/docs-noob-tester.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/discussion-task-miner.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/dictation-prompt.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/developer-docs-consolidator.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/dev.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/dev-hawk.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/designer-drift-audit.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/design-decision-gate.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/deployment-incident-monitor.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/dependabot-repair.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/dependabot-go-checker.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/dependabot-burner.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/delight.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/deep-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/dead-code-remover.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/dataflow-pr-discussion-dataset.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-workflow-updater.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-windows-terminal-integration-builder.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-token-consumption-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-testify-uber-super-expert.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-team-status.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-team-evolution-insights.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-syntax-error-quality.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-spdd-spec-planner.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-skill-optimizer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-sentrux-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-semgrep-scan.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-security-red-team.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-security-observability.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-secrets-analysis.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-safeoutputs-git-simulator.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-safe-outputs-conformance.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-safe-output-optimizer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-safe-output-integrator.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-repo-chronicle.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-rendering-scripts-verifier.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-reliability-review.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-regulatory.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-performance-summary.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-observability-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-news.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-multi-device-docs-tester.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-model-inventory.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-mcp-concurrency-analysis.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-max-ai-credits-test.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-issues-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-hippo-learn.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-geo-optimizer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-function-namer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-formal-spec-verifier.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-firewall-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-file-diet.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-fact.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-experiment-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-doc-updater.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-doc-healer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-credit-limit-test.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-compiler-threat-spec-optimizer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-compiler-quality.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-community-attribution.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-code-metrics.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-cli-tools-tester.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-cli-performance.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-choice-test.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-caveman-optimizer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-cache-strategy-analyzer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-byok-ollama-test.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-awf-spec-compiler-surfacing.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-aw-cross-repo-compile-check.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-astrostylelite-markdown-spellcheck.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-assign-issue-to-user.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-architecture-diagram.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-ambient-context-optimizer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-agentrx-trace-optimizer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/daily-agent-of-the-day-blog-writer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/craft.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/copilot-session-insights.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/copilot-pr-prompt-analysis.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/copilot-pr-nlp-analysis.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/copilot-pr-merged-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/copilot-opt.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/copilot-cli-deep-research.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/copilot-centralization-optimizer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/copilot-centralization-drilldown.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/copilot-agent-analysis.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/contribution-check.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/constraint-solving-potd.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/commit-changes-analyzer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/code-simplifier.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/code-scanning-fixer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/cloclo.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/cli-version-checker.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/cli-consistency-checker.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/claude-code-user-docs-review.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/ci-doctor.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/ci-coach.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/chaos-pr-bundle-fuzzer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/changeset.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/breaking-change-checker.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/brave.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/blog-auditor.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/aw-failure-investigator.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/avenger.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/auto-triage-issues.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/audit-workflows.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/artifacts-summary.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/architecture-guardian.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/archie.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/approach-validator.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/api-consumption-report.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/agentic-token-trend-audit.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/agentic-token-audit.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/agent-persona-explorer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/agent-performance-analyzer.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
| .github/workflows/ab-testing-advisor.lock.yml | Regenerated compiled workflow reflecting updated detection job condition. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 242/242 changed files
- Comments generated: 1
Comment on lines
+1379
to
+1385
| // Detection job condition: always run whenever the agent job was not skipped, | ||
| // regardless of whether the agent produced outputs (output_types) or a patch. | ||
| // This ensures detection is never bypassed even when the agent calls noop/boop — | ||
| // the detection_guard step inside the job handles the no-output case by setting | ||
| // run_detection=false, and detection_conclusion short-circuits with conclusion=skipped, | ||
| // success=true, so downstream jobs (safe_outputs, update_cache_memory) see | ||
| // needs.detection.result == 'success' and behave correctly. |
Collaborator
|
@copilot Merge main and recompile |
…s-documentation-unbloat # Conflicts: # .github/workflows/daily-security-observability.lock.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
|
@copilot review all comments and address unresolved review feedback.
|
Contributor
|
@copilot please refresh this branch and rerun the safe-output detection path after rebasing main.
|
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Done in
Addressed. Detection now always runs whenever the agent ran (including boop/noop safe-output runs) in |
Contributor
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Contributor
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
Contributor
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
Contributor
|
Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. Smoke test results:
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "proxy.golang.org"See Network Configuration for more information. |
Contributor
|
Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. Smoke Test Results
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Contributor
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
Contributor
|
Caution agentic threat detected DetailsThe threat detection engine failed to produce results. Review the workflow run logs for details. Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Contributor
🤖 Smoke Test: Claude — Run 27998822770Core #1-12: ✅ all passed Overall: PARTIAL Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · 68.5 AIC · ⌖ 39.2 AIC · ⊞ 8.5K
| - agent | ||
| if: > | ||
| always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true') | ||
| if: always() && needs.agent.result != 'skipped' |
Contributor
There was a problem hiding this comment.
Simplifying this if condition ensures detection runs on all safe outputs including noop. Looks correct.
| - agent | ||
| if: > | ||
| always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true') | ||
| if: always() && needs.agent.result != 'skipped' |
Contributor
There was a problem hiding this comment.
Good — dropping the output_types/has_patch guard keeps behavior consistent across generated workflows. Verify recompile covers every lock file.
Contributor
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Contributor
There was a problem hiding this comment.
Smoke run done. Me left two tiny inline notes.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · 237.5 AIC · ⌖ 15.3 AIC · ⊞ 19.2K
Contributor
|
Smoke tests summary: 1✅ 2✅ 3❌ 4✅ 5✅ 6✅ 7✅ 8✅ 9❌ 10✅ 11❌ 12✅ 13❌ 14✅\nOverall status: FAIL Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
This was referenced Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
update_cache_memorywas not being refreshed on noop runs because the detection job was skipped when the agent produced no outputs (e.g. callednoop/boop). This caused the Documentation Unbloat cache to go cold after all docs were cleaned — every subsequent noop run silently dropped the cleanup history instead of refreshing it.Changes
pkg/workflow/threat_detection.gobuildDetectionJob: removed thehasContentguard (output_types != '' || has_patch == 'true') from the detection job'sif:condition. Detection now runs wheneveralways() && agent.result != 'skipped', regardless of whether the agent produced any outputs.detection_guardstep inside the job already handles the no-output case by settingrun_detection=false, anddetection_conclusionshort-circuits withconclusion=skipped, success=true— soneeds.detection.result == 'success'is correctly set for all downstream jobs even on noop runs.pkg/workflow/cache.gobuildUpdateCacheMemoryJob: retainsbuildDetectionSuccessCondition()(unchanged from before). Since detection now always runs and succeeds even for noop, requiringdetection.result == 'success'is sufficient.Tests (
threat_detection_test.go,cache_memory_threat_detection_test.go,compiler_jobs_test.go,threat_detection_job_combinations_integration_test.go)TestDetectionJobLevelConditionto assert detection no longer gates onoutput_types/has_patchupdate_cache_memorycondition assertions to expectsuccess-only (notskipped).github/workflows/unbloat-docs.mdlast-run.txtintocache-memory/on every run so the artifact always has content even when the agent writes nothingcleaned-files.txtif its most recent entry is older than 14 days, preventing silently stale "already cleaned" state after a GitHub Actions cache evictionrun: https://github.com/github/gh-aw/actions/runs/27997737621
✨ PR Review Safe Output Test - Run 27998822770
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.