Skip to content

Prevent workspace wipe during local-actions checkout in generated workflows#42611

Merged
pelikhan merged 6 commits into
mainfrom
copilot/investigate-failure-fix
Jul 1, 2026
Merged

Prevent workspace wipe during local-actions checkout in generated workflows#42611
pelikhan merged 6 commits into
mainfrom
copilot/investigate-failure-fix

Conversation

Copilot AI commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Run 28486539819 failed in safe_outputs because the generated Checkout actions folder step used default checkout cleaning, which removed the workspace .git state and broke subsequent local-action/post-step git commands (fatal: --local can only be used inside a git repository).

  • Root cause alignment

    • Updated workflow YAML generation for local actions checkout paths to explicitly disable checkout cleanup where we only need to refresh action files.
  • Compiler changes

    • Added clean: false to dev-mode Checkout actions folder generation.
    • Added clean: false to script-mode Checkout actions folder generation.
    • Added clean: false to Restore actions folder generation.
  • Contract updates

    • Extended compiler assertions to require clean: false in the generated dev-mode checkout step.
    • Regenerated wasm golden fixtures to reflect the updated emitted YAML.
- name: Checkout actions folder
  uses: actions/checkout@...
  with:
    repository: github/gh-aw
    sparse-checkout: |
      actions
    clean: false
    persist-credentials: false

Generated by 👨‍🍳 PR Sous Chef · 151.9 AIC · ⌖ 15.1 AIC · ⊞ 1.7K ·

Copilot AI and others added 3 commits July 1, 2026 01:30
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title Fix checkout cleanup failure in workflow-generated local actions checkout Prevent workspace wipe during local-actions checkout in generated workflows Jul 1, 2026
Copilot AI requested a review from pelikhan July 1, 2026 01:40
@pelikhan pelikhan marked this pull request as ready for review July 1, 2026 02:23
Copilot AI review requested due to automatic review settings July 1, 2026 02:23

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the workflow compiler’s generated actions/checkout steps for local-action bootstrapping to avoid wiping the workspace state (notably .git) during “Checkout actions folder” operations, addressing failures in safe_outputs where post-step git commands run.

Changes:

  • Emit with: clean: false for “Checkout actions folder” in dev mode and script mode generation.
  • Emit with: clean: false for the “Restore actions folder” generation.
  • Update compiler assertions and wasm golden fixtures to reflect the new emitted YAML.
Show a summary per file
File Description
pkg/workflow/compiler_yaml_step_generation.go Adds clean: false to generated checkout/restore steps for local actions.
pkg/workflow/compiler_custom_actions_test.go Extends dev-mode contract test to require clean: false.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Golden update: dev-mode checkout actions folder includes clean: false.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden Golden update: dev-mode checkout actions folder includes clean: false.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden Golden update: dev-mode checkout actions folder includes clean: false.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Golden update: dev-mode checkout actions folder includes clean: false.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden Golden update: dev-mode checkout actions folder includes clean: false.
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden Golden update: dev-mode checkout actions folder includes clean: false.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden Golden update: dev-mode checkout actions folder includes clean: false.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden Golden update: dev-mode checkout actions folder includes clean: false.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden Golden update: dev-mode checkout actions folder includes clean: false.
.github/workflows/pr-code-quality-reviewer.lock.yml Workflow lock metadata updated, but checkout steps in the lock content still appear to omit clean: false.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 12/12 changed files
  • Comments generated: 2
  • Review effort level: Low

@@ -1,4 +1,4 @@
# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"0a7a1cc9a9d3e316b42d163c8f7452df59e96a2dd1056a07170aca6d955bd9ca","body_hash":"4b304b423080e4bab9d72281c704a8436fe09fa92cf666fe179d4681a922d405","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.65","copilot-sdk":"1.0.4"}}
# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"0a7a1cc9a9d3e316b42d163c8f7452df59e96a2dd1056a07170aca6d955bd9ca","body_hash":"3741a05e0a954d005c6a5d50b7567b198260ad61d940646d75c20b3b923c1606","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.65","copilot-sdk":"1.0.4"}}
" actions\n",
" path: /tmp/gh-aw/actions-source\n",
" fetch-depth: 1\n",
" clean: false\n",
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ failed during design decision gate check.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot The following review comments need attention:

  1. .github/workflows/pr-code-quality-reviewer.lock.yml:1 - This workflow lock file still contains multiple "Checkout actions folder" steps that do not set with.clean: false
  2. pkg/workflow/compiler_yaml_step_generation.go:56 - clean: false is now emitted for script mode, dev mode, and restore checkout steps, but only the dev mode generator has an explicit assertion added

Once you have addressed these comments, please run the pr-finisher skill to complete this PR.

Generated by 👨‍🍳 PR Sous Chef · 151.9 AIC · ⌖ 15.1 AIC · ⊞ 1.7K ·

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100 — Excellent

Analyzed 1 test (modified): 1 design test, 0 implementation tests, 0 guideline violations.

📊 Metrics & Test Classification (1 test analyzed)
Metric Value
New/modified tests analyzed 1
✅ Design tests (behavioral contracts) 1 (100%)
⚠️ Implementation tests (low value) 0 (0%)
Tests with error/edge cases 1 (100%)
Duplicate test clusters 0
Test inflation detected No (1:1 ratio)
🚨 Coding-guideline violations 0
Test File Classification Issues Detected
TestCheckoutActionsFolderDevModeHasRepository (new assertion) pkg/workflow/compiler_custom_actions_test.go:360 ✅ Design

What was changed: A single assertion was added to the existing test verifying that clean: false is present in the generated checkout YAML, directly enforcing the behavioral contract that prevents workspace wipe (removal of .git) during local-actions checkout in dev mode.

  • Design invariant enforced: generateCheckoutActionsFolder in dev mode must emit clean: false to protect the workspace.
  • Value if deleted: HIGH — the regression where the default clean: true wipes the workspace would go silently undetected.
  • Assertion quality: Has a descriptive failure message referencing the bug cause; maps 1:1 to the production change in compiler_yaml_step_generation.go.

Go: 1 (*_test.go); JavaScript: 0.

Notes: The other two clean: false additions in compiler_yaml_step_generation.go (non-dev checkout path and generateRestoreActionsSetupStep) are covered by the updated golden files (TestWasmGolden_AllEngines, TestWasmGolden_CompileFixtures). Build tag //go:build !integration present on line 1 ✅.

Verdict

Check passed. 0% implementation tests (threshold: 30%). No guideline violations. Score 100/100.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 42.2 AIC · ⌖ 13.9 AIC · ⊞ 7K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 100/100. 0% implementation tests (threshold: 30%). No guideline violations. See comment above for full analysis.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /diagnosing-bugs and /tdd — one observation on test coverage completeness, otherwise a solid targeted fix.

📋 Key Themes & Highlights

Key Themes

  • Test coverage asymmetry: clean: false is correctly added to all three code paths (dev, script, restore), but only dev mode gets a new unit-test assertion. Script mode and the restore step rely solely on golden fixture diffing for regression protection.

Positive Highlights

  • ✅ Root cause correctly identified and addressed in all three code paths
  • ✅ Dev-mode regression test extended with the clean: false assertion
  • ✅ All nine golden fixture files regenerated consistently
  • ✅ PR description clearly traces the failure (Run 28486539819) to the root cause

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 45.3 AIC · ⌖ 9.81 AIC · ⊞ 6.6K
Comment /matt to run again

}
if !strings.Contains(combined, "clean: false") {
t.Error("Dev mode Checkout actions folder should include 'clean: false' to avoid workspace cleanup removing .git")
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/tdd] The new clean: false assertion only covers dev mode — script mode and the restore step have no equivalent unit test.

💡 Suggested additions

TestScriptActionModeCompilation checks many checkout properties (repository, path, fetch-depth, ref) but not clean: false. Add it near line 279:

if !strings.Contains(lockStr, "clean: false") {
    t.Error("Script mode Checkout actions folder should include 'clean: false' to avoid workspace cleanup removing .git")
}

generateRestoreActionsSetupStep was also changed but has no unit test. A small dedicated test closes the gap:

func TestRestoreActionsSetupStepHasCleanFalse(t *testing.T) {
    compiler := NewCompiler(WithVersion("dev"))
    compiler.SetActionMode(ActionModeDev)
    step := compiler.generateRestoreActionsSetupStep()
    if !strings.Contains(step, "clean: false") {
        t.Error("Restore actions folder step should include 'clean: false' to avoid workspace wipe")
    }
}

Without these, regressions in script-mode or restore-step branches would only be caught by golden fixture diffing.

@copilot please address this.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Prevent workspace wipe during local-actions checkout

The root cause is correctly identified and the fix is sound: adding clean: false to all three checkout/restore paths prevents actions/checkout from wiping the workspace .git state before local-action and post-step git commands run.

What looks good:

  • clean: false is applied consistently across all three generation paths (script mode, dev mode, and the restore step)
  • Dev-mode test updated with a direct assertion
  • All golden fixtures regenerated consistently
  • pr-code-quality-reviewer.lock.yml hash update is expected and correct

Non-blocking suggestions (2 inline comments):

  • TestScriptActionModeCompilation is missing a clean: false assertion for the script-mode checkout path
  • generateRestoreActionsSetupStep has no dedicated unit test; the golden fixtures provide indirect coverage but a direct assertion would make the invariant explicit

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 49.9 AIC · ⌖ 6.78 AIC · ⊞ 4.8K

}
if !strings.Contains(combined, "clean: false") {
t.Error("Dev mode Checkout actions folder should include 'clean: false' to avoid workspace cleanup removing .git")
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new assertion covers the dev-mode path, but TestScriptActionModeCompilation (which already asserts repository:, path:, fetch-depth: 1, ref:, etc.) does not assert clean: false for the script-mode checkout. The script-mode code path also received the fix, so a parallel assertion is needed:

if !strings.Contains(lockStr, "clean: false") {
    t.Error("Script mode Checkout actions folder should include clean: false to avoid workspace cleanup removing .git")
}

@copilot please address this.

step.WriteString(" sparse-checkout: |\n")
step.WriteString(" actions/setup\n")
step.WriteString(" sparse-checkout-cone-mode: true\n")
step.WriteString(" clean: false\n")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generateRestoreActionsSetupStep has no dedicated unit tests, so the new clean: false line is only covered indirectly via golden fixtures. A direct test analogous to TestCheckoutActionsFolderDevModeHasRepository would guard this invariant more explicitly. For example:

func TestRestoreActionsSetupStepHasCleanFalse(t *testing.T) {
    compiler := NewCompiler(WithVersion("v1.0.0"))
    step := compiler.generateRestoreActionsSetupStep()
    if !strings.Contains(step, "clean: false") {
        t.Error("Restore actions folder step should include clean: false to avoid workspace cleanup removing .git")
    }
}

@copilot please address this.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking observations on test coverage

The core fix is correct — adding clean: false to all three checkout code paths addresses the root cause (actions/checkout's default git clean -fdx wiping .git state). The golden-file updates are consistent across all 8 affected fixtures.

📋 What was reviewed
  • compiler_yaml_step_generation.go: 3 clean: false additions (script, dev, restore paths) — all correctly placed before persist-credentials: false
  • compiler_custom_actions_test.go: dev-mode assertion added — correct
  • 9 golden files: all consistently updated — correct
  • .github/workflows/pr-code-quality-reviewer.lock.yml: metadata hash updated but workflow YAML steps inside still lack clean: false (flagged separately in existing review thread)

Two test coverage gaps noted in inline comments: (1) script-mode assertion is missing from TestScriptActionModeCompilation, and (2) generateRestoreActionsSetupStep has no test at all despite being called from 5 production sites. These don't block correctness today but leave regression holes.

🔎 Code quality review by PR Code Quality Reviewer · 151.1 AIC · ⌖ 7.38 AIC · ⊞ 1.6K
Comment /review to run again

}
if !strings.Contains(combined, "clean: false") {
t.Error("Dev mode Checkout actions folder should include 'clean: false' to avoid workspace cleanup removing .git")
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Script-mode checkout has no clean: false assertion, leaving a regression gap.

💡 Details

The PR adds clean: false to both dev-mode and script-mode checkout generation (generateCheckoutActionsFolder), and correctly adds a test assertion for dev mode (TestCheckoutActionsFolderDevModeHasRepository). However, TestScriptActionModeCompilation (line 189) tests 10 other properties of the script-mode checkout step but has no check for clean: false. If the script-mode branch of generateCheckoutActionsFolder silently regresses (e.g., the clean: false line is accidentally removed), no test will catch it.

Suggested fix — add to TestScriptActionModeCompilation after the existing assertions:

// 11. Checkout should include clean: false to avoid removing .git state
if !strings.Contains(lockStr, "clean: false") {
    t.Error("Expected 'clean: false' in checkout step for script mode to prevent workspace wipe")
}

This mirrors the dev-mode assertion added in this same PR at line 360.

step.WriteString(" sparse-checkout: |\n")
step.WriteString(" actions/setup\n")
step.WriteString(" sparse-checkout-cone-mode: true\n")
step.WriteString(" clean: false\n")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generateRestoreActionsSetupStep has no test asserting clean: false, and the function is exercised in 5 production call sites.

💡 Details

The fix adds clean: false to this function at line 106, but there is no unit test for generateRestoreActionsSetupStep anywhere in the test suite, and the golden files under testdata/ do not contain a "Restore actions folder" step — so the golden tests don't cover it either.

The function is called from:

  • publish_assets.go
  • compiler_safe_outputs_job.go
  • repo_memory.go
  • compiler_experiments.go
  • compiler_yaml_main_job.go

If clean: false is removed from this function, no automated check will fail. The bug that prompted this PR could silently resurface in any of those 5 code paths.

Suggested fix — add a dedicated test (or extend an existing integration test that exercises one of the callers) that asserts the restore step output contains clean: false:

func TestRestoreActionsSetupStepHasCleanFalse(t *testing.T) {
    compiler := NewCompiler(WithVersion("1.0.0"))
    step := compiler.generateRestoreActionsSetupStep()
    if !strings.Contains(step, "clean: false") {
        t.Error("Restore actions setup step should include 'clean: false' to avoid workspace wipe")
    }
}

" repository: github/gh-aw\n",
" sparse-checkout: |\n",
" actions\n",
" clean: false\n",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix is incomplete — at least 10 hardcoded checkout steps in other files bypass generateCheckoutActionsFolder() and still lack clean: false.

💡 Details

maintenance_workflow_yaml.go contains 8 direct yaml.WriteString(" - name: Checkout actions folder\n") calls (lines ~162, 228, 322, 372, 679, 778, 827, 937) that go straight from sparse-checkout: to persist-credentials: false — no clean: false. These all bypass generateCheckoutActionsFolder() entirely.

side_repo_maintenance.go has 2 more identical hardcoded blocks (lines ~308, 376) in dev/script mode paths, also without clean: false.

Confirmed via grep — none of them emit clean: false:

$ grep -A15 Checkout

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@copilot The following review comments need attention:

  1. .github/workflows/pr-code-quality-reviewer.lock.yml:1 - This workflow lock file still contains multiple "Checkout actions folder" steps...

Both issues have been addressed:

  1. .github/workflows/pr-code-quality-reviewer.lock.yml — All 6 "Checkout actions folder" steps in this file already have clean: false (lines 129, 497, 1151, 1421, 1674, 1758). The lock file was correctly regenerated in the previous commits.

  2. pkg/workflow/compiler_yaml_step_generation.go — Added clean: false regression assertions to both missing test paths:

    • TestScriptActionModeCompilation in compiler_custom_actions_test.go (assertion Fix orphan removal on "gh aw remove" #11)
    • TestGenerateMainJobStepsRestoreActionsFolder in compiler_yaml_main_job_test.go (restore step sub-test)

Committed in the latest push.

… unit test

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Copilot AI requested a review from gh-aw-bot July 1, 2026 02:58
@pelikhan pelikhan merged commit ac54988 into main Jul 1, 2026
28 checks passed
@pelikhan pelikhan deleted the copilot/investigate-failure-fix branch July 1, 2026 03:07
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants