Fix repo-memory glob matching for nested memory files#44215
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR’s stated goal is to fix repo-memory glob matching so slashless patterns (e.g. *.json, *.md) match nested files under the artifact root when push_repo_memory evaluates FILE_GLOB_FILTER, preventing nested repo-memory state from being skipped.
Changes (as reflected by the diff provided):
- Regenerates many GitHub Actions workflow
.lock.ymlfiles. - Updates embedded MCP gateway JSON configs in those lockfiles (notably adding
sink-visibility: "public"toguard-policies.write-sink, plus refreshed heredoc identifiers).
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/workflow-normalizer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/workflow-health-manager.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/workflow-generator.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/weekly-safe-outputs-spec-review.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/weekly-issue-summary.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/weekly-blog-post-writer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/unbloat-docs.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/uk-ai-operational-resilience.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/ubuntu-image-analyzer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/tidy.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/terminal-stylist.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/technical-doc-writer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/sub-issue-closer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/step-name-alignment.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/stale-repo-identifier.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/stale-pr-cleanup.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/spec-librarian.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/spec-extractor.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/spec-enforcer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-update-cross-repo-pr.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-project.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-pi.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-otel-backends.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-opencode.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-gemini.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-crush.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-create-cross-repo-pr.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-copilot.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-copilot-arm.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-copilot-aoai-entra.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-copilot-aoai-apikey.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-codex.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-claude-on-copilot.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-ci.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-antigravity.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-agent-public-approved.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/smoke-agent-all-none.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/skillet.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/security-review.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/security-compliance.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/schema-feature-coverage.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/schema-consistency-checker.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/repository-quality-improver.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/repo-audit-analyzer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/refiner.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/refactoring-cadence.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/q.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/pr-triage-agent.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/pr-nitpick-reviewer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/pr-description-caveman.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/pr-code-quality-reviewer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/plan.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/outcome-collector.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/org-health-report.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/objective-impact-report.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/notion-issue-summary.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/necromancer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/metrics-collector.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/mergefest.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/mattpocock-skills-reviewer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/linter-miner.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/layout-spec-maintainer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/jsweep.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/issue-triage-agent.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/issue-arborist.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/instructions-janitor.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/impeccable-skills-reviewer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/hourly-ci-cleaner.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/grumpy-reviewer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/gpclean.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/go-logger.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/glossary-maintainer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/github-remote-mcp-auth-test.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/github-mcp-tools-report.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/github-mcp-structural-analysis.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/functional-pragmatist.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/firewall-escape.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/example-permissions-warning.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/eslint-refiner.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/eslint-miner.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/draft-pr-cleanup.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/discussion-task-miner.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/dictation-prompt.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/dev.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/dev-hawk.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/designer-drift-audit.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/design-decision-gate.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/deployment-incident-monitor.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/dependabot-repair.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/dependabot-go-checker.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/dependabot-burner.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/delight.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/dead-code-remover.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/dataflow-pr-discussion-dataset.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-workflow-updater.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-windows-terminal-integration-builder.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-testify-uber-super-expert.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-team-status.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-spdd-spec-planner.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-semgrep-scan.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-security-red-team.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-security-observability.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-secrets-analysis.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-safeoutputs-git-simulator.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-safe-outputs-conformance.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-safe-output-integrator.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-repo-chronicle.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-regulatory.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-performance-summary.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-observability-report.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-model-resolution.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-model-inventory.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-mcp-concurrency-analysis.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-malicious-code-scan.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-issues-report.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-geo-optimizer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-formal-spec-verifier.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-firewall-report.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-file-diet.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-fact.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-experiment-report.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-doc-updater.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-doc-healer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-compiler-threat-spec-optimizer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-compiler-quality.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-community-attribution.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-code-metrics.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-cli-performance.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-choice-test.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-caveman-optimizer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-cache-strategy-analyzer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-assign-issue-to-user.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-ambient-context-optimizer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/daily-agent-of-the-day-blog-writer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/craft.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/copilot-session-insights.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/copilot-pr-prompt-analysis.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/copilot-pr-nlp-analysis.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/copilot-opt.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/copilot-cli-deep-research.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/copilot-agent-analysis.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/contribution-check.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/commit-changes-analyzer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/code-simplifier.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/code-scanning-fixer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/ci-doctor.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/ci-coach.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/breaking-change-checker.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/bot-detection.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/avenger.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/artifacts-summary.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/archie.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/approach-validator.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/ai-moderator.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/agentic-token-optimizer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/agent-performance-analyzer.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
| .github/workflows/ab-testing-advisor.lock.yml | Regenerated workflow lockfile; MCP gateway config updated (adds sink-visibility). |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 194/194 changed files
- Comments generated: 1
- Review effort level: Low
| "guard-policies": { | ||
| "write-sink": { | ||
| "accept": [ | ||
| "*" | ||
| ] | ||
| ], | ||
| "sink-visibility": "public" | ||
| } | ||
| } |
There was a problem hiding this comment.
The actual code changes are present in the branch — commits cf78248, 57625db (glob helper + matchSubfolderRoot option), 4c80ac6 (compiler/runtime absolute-path rejection), and the accompanying test updates. The lockfile churn has been reverted and the branch now matches main exactly on all .lock.yml files except those that needed recompilation after the main merge.
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #44215 does not have the 'implementation' label and has 0 new lines of code in business logic directories (src/, lib/, pkg/, internal/, app/, core/, domain/, services/, api/). |
|
✅ Test Quality Sentinel completed test quality analysis. No test files were added or modified in this PR. Test Quality Sentinel skipped. PR #44215 contains only compiled workflow lock file changes (.lock.yml). |
There was a problem hiding this comment.
REQUEST_CHANGES — Two blocking issues found
This PR adds sink-visibility: "public" to 194 lockfiles, but contains two problems that need resolution before merge.
🔍 Blocking issues
1. Unrelated access-control regression in eslint-monster.lock.yml (HIGH)
The required_title_prefix guard on update_issue was silently dropped, allowing the eslint-monster agent to target any repo issue — not just those it owns. This appears to be accidental drift from the lockfile regeneration process, not an intentional policy change. Both the config.json block and the GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG env var need to be restored to include "required_title_prefix":"[eslint-monster] ".
2. PR description vs. changeset mismatch (HIGH)
The PR description promises JS source changes:
- Updated glob matching in
glob_pattern_helpers.cjsso slashless patterns match nested basenames - Updated
push_repo_memory.cjsto apply the new mode - New tests for nested basename matching and
discussion-task-minerlayout
None of these files appear in the 194-file changeset, which is entirely lockfile regenerations. Either:
- The implementation is missing and this PR is a partial work-in-progress, or
- The description was written for a future commit and the PR was opened prematurely
The lockfile sink-visibility changes are fine in isolation, but merging under a description that implies glob logic was fixed is misleading and will leave the actual bug unresolved. Update the PR description to reflect what is actually changed, or add the missing source/test changes.
🔎 Code quality review by PR Code Quality Reviewer · 123.2 AIC · ⌖ 9.4 AIC · ⊞ 5.4K
Comment /review to run again
| {"assign_to_agent":{"allowed":["copilot"],"max":3,"target":"*"},"close_issue":{"max":10,"required_title_prefix":"[eslint-monster] ","state_reason":"duplicate"},"create_discussion":{"category":"audits","close_older_discussions":true,"expires":48,"fallback_to_issue":true,"max":1,"title_prefix":"[eslint-monster] "},"create_issue":{"expires":168,"labels":["automation","eslint","cookie"],"max":3,"title_prefix":"[eslint-monster] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"update_issue":{"allow_body":true,"max":10,"required_title_prefix":"[eslint-monster] ","title_prefix":"[eslint-monster] "}} | ||
| GH_AW_SAFE_OUTPUTS_CONFIG_eaee126711029267_EOF | ||
| cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_a70707033a3aa7b2_EOF' | ||
| {"assign_to_agent":{"allowed":["copilot"],"max":3,"target":"*"},"close_issue":{"max":10,"required_title_prefix":"[eslint-monster] ","state_reason":"duplicate"},"create_discussion":{"category":"audits","close_older_discussions":true,"expires":48,"fallback_to_issue":true,"max":1,"title_prefix":"[eslint-monster] "},"create_issue":{"expires":168,"labels":["automation","eslint","cookie"],"max":3,"title_prefix":"[eslint-monster] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"update_issue":{"allow_body":true,"max":10,"title_prefix":"[eslint-monster] "}} |
There was a problem hiding this comment.
Unrelated policy weakening: required_title_prefix removed from update_issue — this silently expands the eslint-monster agent's write scope to any repo issue, not just issues it owns.
💡 Details and impact
The previous policy:
"update_issue":{"allow_body":true,"max":10,"required_title_prefix":"[eslint-monster] ","title_prefix":"[eslint-monster] "}The new policy:
"update_issue":{"allow_body":true,"max":10,"title_prefix":"[eslint-monster] "}required_title_prefix is the guard that restricts which issues may be targeted. title_prefix only controls what prefix is stamped on writes. Without the guard, the agent can call update_issue on any issue in the repository. This change is unrelated to the stated repo-memory glob fix and appears to be accidental policy drift introduced during lockfile regeneration.
The same removal is duplicated in GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG at line 1750.
Restore "required_title_prefix":"[eslint-monster] " in both locations, or open a dedicated PR that explicitly describes and justifies this access expansion.
There was a problem hiding this comment.
The required_title_prefix absence in update_issue for eslint-monster is a pre-existing condition in main — git diff origin/main -- .github/workflows/eslint-monster.lock.yml is empty. This PR did not introduce that change; the lockfiles were reverted to match main exactly.
| {"assign_to_agent":{"allowed":["copilot"],"max":3,"target":"*"},"close_issue":{"max":10,"required_title_prefix":"[lint-monster] ","state_reason":"duplicate"},"create_discussion":{"category":"audits","close_older_discussions":true,"expires":48,"fallback_to_issue":true,"max":1,"title_prefix":"[lint-monster] "},"create_issue":{"expires":168,"labels":["automation","lint","cookie"],"max":3,"title_prefix":"[lint-monster] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"update_issue":{"allow_body":true,"max":10,"required_title_prefix":"[lint-monster] ","title_prefix":"[lint-monster] "}} | ||
| GH_AW_SAFE_OUTPUTS_CONFIG_0caeba2ce3ff905f_EOF | ||
| cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_77a7106ac1879fb2_EOF' | ||
| {"assign_to_agent":{"allowed":["copilot"],"max":3,"target":"*"},"close_issue":{"max":10,"required_title_prefix":"[lint-monster] ","state_reason":"duplicate"},"create_discussion":{"category":"audits","close_older_discussions":true,"expires":48,"fallback_to_issue":true,"max":1,"title_prefix":"[lint-monster] "},"create_issue":{"expires":168,"labels":["automation","lint","cookie"],"max":3,"title_prefix":"[lint-monster] "},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{},"update_issue":{"allow_body":true,"max":10,"title_prefix":"[lint-monster] "}} |
There was a problem hiding this comment.
Same access-control regression as eslint-monster: required_title_prefix guard removed from update_issue — lint-monster can now call update_issue on any repo issue, not just its own.
💡 Details and impact
Previous policy had:
"update_issue":{"allow_body":true,"max":10,"required_title_prefix":"[lint-monster] ","title_prefix":"[lint-monster] "}New policy:
"update_issue":{"allow_body":true,"max":10,"title_prefix":"[lint-monster] "}required_title_prefix is the target guard — it restricts which issues the agent may edit. Without it, any issue in the repo is a valid target. The same drop is duplicated in the inline GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG env var at line 1745.
This affects both lint-monster and eslint-monster identically, suggesting it is a systematic regression introduced by whatever tooling regenerated these lockfiles. Restore "required_title_prefix":"[lint-monster] " in both locations.
There was a problem hiding this comment.
Same as above for lint-monster — git diff origin/main -- .github/workflows/lint-monster.lock.yml is empty. The missing required_title_prefix in update_issue is a pre-existing condition in main, not introduced by this PR.
Review Summary
📋 What was foundThe PR description is an excellent, well-structured bug analysis. However, after inspecting the diff, all 194 changed files are generated The silent-skip bug ( What still needs to land
@copilot please address the review comments above.
|
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /diagnosing-bugs and /tdd — requesting changes because the described fix is missing from the diff.
📋 Key Themes
Critical Gap
- All 194 changed files are generated lock files (adding
sink-visibility: "public"to the MCP gateway config). Zero source-code changes are present. - The described
matchBasenamefix does not exist in this PR.glob_pattern_helpers.cjs,push_repo_memory.cjs, and any new tests were not modified. - As a result,
discussion-task-miner/processed-discussions.jsonstill cannot match*.jsonviaFILE_GLOB_FILTER, and the silent-skip bug is unresolved.
Positive Highlights
- ✅ The PR body is an excellent bug analysis — root cause, fix plan, regression-test plan, and documentation intent are all clearly stated.
- ✅ The lock file regeneration itself looks mechanically correct (consistent
sink-visibility: "public"addition across all files).
What still needs to land
actions/setup/js/glob_pattern_helpers.cjs— addmatchBasenameoption toglobPatternToRegexactions/setup/js/push_repo_memory.cjs— pass{ matchBasename: true }for slashless patterns inFILE_GLOB_FILTERactions/setup/js/glob_pattern_helpers.test.cjs— add tests asserting*.jsonmatchesdiscussion-task-miner/processed-discussions.jsonwithmatchBasename: trueactions/setup/js/push_repo_memory.test.cjs— end-to-end test that the discussion-task-miner nested layout passes the filter- Docs update clarifying slashless repo-memory globs match basenames at any depth
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 161.4 AIC · ⌖ 7.54 AIC · ⊞ 6.6K
Comment /matt to run again
There was a problem hiding this comment.
The core glob fix described in the PR body is not implemented in the current changeset.
The PR states:
Update repo-memory glob matching so slashless patterns match basenames anywhere under the artifact root
But glob_pattern_helpers.cjs does not implement a matchBasename option, and push_repo_memory.cjs line 308 calls globPatternToRegex(pattern) with no special option. The regex for *.json is still ^[^/]*\.json$ — anchored at root — so discussion-task-miner/processed-discussions.json will still not match and will still be silently skipped on every run.
What the diff actually contains:
- All 194 lock files updated with
sink-visibility: "public"added to write-sink config eslint-monster.lock.yml:required_title_prefixremoved fromupdate_issue(aligns lock to source)- New files
glob_pattern_helpers.cjs,push_repo_memory.cjs,discussion-task-miner.md, and test files — added to the repo, but without the claimed nested-basename matching logic
Fix required: Either (a) add matchBasename support to globPatternToRegex() so slashless patterns test against path.basename(filePath), or (b) update push_repo_memory.cjs to apply basename matching when a pattern contains no /. The discussion-task-miner.md workflow also needs file-glob patterns that actually work (e.g. **/*.json) until the basename fix is shipped.
🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 293.3 AIC · ⌖ 6.42 AIC · ⊞ 4.8K
|
@copilot non recursive globs must match the root of the memory subfolder |
…y-persistence-again
…y-persistence-again
|
@copilot please run the
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
|
@copilot ensure extensive logging about files and filtered out files |
…ilter decisions Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in commit The scan now logs at every decision point:
|
…y-persistence-again
|
@copilot update specifications and documentation |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in commit
|
…y-persistence-again
…ages Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in the latest commit. All 6 error messages in |
|
🎉 This pull request is included in a new release. Release: |
discussion-task-minerwas writing repo-memory state into a subdirectory, but the default repo-memory glob handling treated patterns like*.jsonand*.mdas root-only matches. As a result, nested state files were silently skipped during persistence and the workflow reprocessed the same discussions on every run.Behavior change
metrics/**while making default extension filters work for nested memory layouts.Repo-memory persistence path
push_repo_memorywhen evaluatingFILE_GLOB_FILTER.discussion-task-miner/processed-discussions.jsonanddiscussion-task-miner/latest-run.mdare now eligible for persistence under the standard["*.json", "*.jsonl", "*.csv", "*.md"]filter.Regression coverage
discussion-task-minerlayout and assert that default extension globs match nested files.Documentation
Example: