fix: recompile dependabot-major-review workflow with gh-aw v0.67.0#196
Open
fix: recompile dependabot-major-review workflow with gh-aw v0.67.0#196
Conversation
Fixes CI failure: `cat: /opt/gh-aw/prompts/xpia.md: No such file or directory`
The Dependabot bump of github/gh-aw from 0.62.5 to 0.65.0 introduced a
mismatch: the lock file was compiled with an older gh-aw CLI (v0.53.4)
that referenced setup action v0.65.0 (which moved files from /opt/gh-aw/
to RUNNER_TEMP), but the lock file still contained hardcoded /opt/gh-aw/
paths.
Recompile with gh-aw v0.67.0 which:
- Uses new github/gh-aw-actions/setup@v0.67.0 setup action
- Correctly uses ${RUNNER_TEMP}/gh-aw/ paths
- Updates actions-lock.json with the new setup action SHA
Agent-Logs-Url: https://github.com/IntelliTect/try/sessions/5c643a86-7f12-455e-8e5c-f92ed7003730
Co-authored-by: BenjaminMichaelis <22186029+BenjaminMichaelis@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix sudden errors in workflow execution
fix: recompile dependabot-major-review workflow with gh-aw v0.67.0
Apr 5, 2026
There was a problem hiding this comment.
Pull request overview
This PR updates the generated Dependabot “major version reviewer” workflow lockfile to match the newer gh-aw runtime layout and action versions, fixing failures caused by hardcoded /opt/gh-aw/... paths.
Changes:
- Recompiled
dependabot-major-review.lock.ymlwithgh-awv0.67.0 and updated runtime paths to${RUNNER_TEMP}/gh-aw/.... - Switched the setup action to
github/gh-aw-actions/setup@v0.67.0and updated various generated workflow steps accordingly. - Added/updated pinned SHAs in
actions-lock.jsonfor the referenced actions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
.github/workflows/dependabot-major-review.lock.yml |
Recompiled workflow lock with updated gh-aw action/runtime paths and new generated job structure. |
.github/aw/actions-lock.json |
Adds pinned SHA entries (including github/gh-aw-actions/setup@v0.67.0) to support action locking. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
827
to
846
| - name: Download agent output artifact | ||
| id: download-agent-output | ||
| continue-on-error: true | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: agent-output | ||
| path: /tmp/gh-aw/safeoutputs/ | ||
| name: agent | ||
| path: /tmp/gh-aw/ | ||
| - name: Setup agent output environment variable | ||
| id: setup-agent-output-env | ||
| if: steps.download-agent-output.outcome == 'success' | ||
| run: | | ||
| mkdir -p /tmp/gh-aw/safeoutputs/ | ||
| find "/tmp/gh-aw/safeoutputs/" -type f -print | ||
| echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" | ||
| mkdir -p /tmp/gh-aw/ | ||
| find "/tmp/gh-aw/" -type f -print | ||
| echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT" | ||
| - name: Process No-Op Messages | ||
| id: noop | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_NOOP_MAX: "1" |
There was a problem hiding this comment.
download-agent-output is marked continue-on-error, but setup-agent-output-env only runs on success and sets GH_AW_AGENT_OUTPUT via step outputs. The subsequent noop/missing_tool/handle_agent_failure steps always read steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT, so if the artifact download fails the env var will be empty and these scripts may fail (or silently do the wrong thing). Consider always setting a default GH_AW_AGENT_OUTPUT output (and creating a placeholder file if missing), or gating the dependent steps on the download/setup outcome instead of letting them run with an empty path.
Comment on lines
1084
to
+1112
| - name: Download agent output artifact | ||
| id: download-agent-output | ||
| continue-on-error: true | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: agent-output | ||
| path: /tmp/gh-aw/safeoutputs/ | ||
| name: agent | ||
| path: /tmp/gh-aw/ | ||
| - name: Setup agent output environment variable | ||
| id: setup-agent-output-env | ||
| if: steps.download-agent-output.outcome == 'success' | ||
| run: | | ||
| mkdir -p /tmp/gh-aw/safeoutputs/ | ||
| find "/tmp/gh-aw/safeoutputs/" -type f -print | ||
| echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/safeoutputs/agent_output.json" >> "$GITHUB_ENV" | ||
| mkdir -p /tmp/gh-aw/ | ||
| find "/tmp/gh-aw/" -type f -print | ||
| echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT" | ||
| - name: Configure GH_HOST for enterprise compatibility | ||
| id: ghes-host-config | ||
| shell: bash | ||
| run: | | ||
| # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct | ||
| # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op. | ||
| GH_HOST="${GITHUB_SERVER_URL#https://}" | ||
| GH_HOST="${GH_HOST#http://}" | ||
| echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV" | ||
| - name: Process Safe Outputs | ||
| id: process_safe_outputs | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 | ||
| env: | ||
| GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_ALLOWED_DOMAINS: "*.docker.com,*.docker.io,*.githubusercontent.com,*.jsr.io,*.vsblob.vsassets.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,builds.dotnet.microsoft.com,bun.sh,cdn.jsdelivr.net,ci.dot.net,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dc.services.visualstudio.com,deb.nodesource.com,deno.land,dist.nuget.org,dl.k8s.io,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,esm.sh,gcr.io,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,googleapis.deno.dev,googlechromelabs.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,learn.microsoft.com,lfs.github.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.dev.azure.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" | ||
| GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }} | ||
| GH_AW_ALLOWED_DOMAINS: "*.docker.com,*.docker.io,*.githubusercontent.com,*.vsblob.vsassets.io,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.snapcraft.io,archive.ubuntu.com,auth.docker.io,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,builds.dotnet.microsoft.com,bun.sh,cdn.jsdelivr.net,ci.dot.net,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dc.services.visualstudio.com,deb.nodesource.com,deno.land,dist.nuget.org,dl.k8s.io,docs.github.com,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,esm.sh,gcr.io,get.pnpm.io,ghcr.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.blog,github.com,github.githubassets.com,googleapis.deno.dev,googlechromelabs.github.io,host.docker.internal,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,learn.microsoft.com,lfs.github.com,mcr.microsoft.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pkgs.dev.azure.com,pkgs.k8s.io,ppa.launchpad.net,production.cloudflare.docker.com,quay.io,raw.githubusercontent.com,registry.bower.io,registry.hub.docker.com,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.yarnpkg.com,s.symcb.com,s.symcd.com,security.ubuntu.com,skimdb.npmjs.com,storage.googleapis.com,telemetry.enterprise.githubcopilot.com,telemetry.vercel.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.googleapis.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com" |
There was a problem hiding this comment.
Same pattern as in conclusion: download-agent-output is continue-on-error, but setup-agent-output-env only runs on success and process_safe_outputs always consumes steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT. If the artifact isn't present (for example when the agent job fails before upload), GH_AW_AGENT_OUTPUT will be empty and safe output processing may fail. Consider always setting a default output path (and writing an empty { "items": [] } file) or gating process_safe_outputs on the setup step succeeding.
Comment on lines
+343
to
+345
| run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest | ||
| env: | ||
| GH_HOST: github.com |
There was a problem hiding this comment.
GH_HOST is hardcoded to github.com for the Copilot CLI install. Elsewhere in this workflow you derive GH_HOST from GITHUB_SERVER_URL for enterprise compatibility; hardcoding here undermines that and can break runs on GHES/GHEC. Prefer deriving GH_HOST from github.server_url (or omitting it if the script can rely on defaults) so the workflow behaves consistently across GitHub instances.
Suggested change
| run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest | |
| env: | |
| GH_HOST: github.com | |
| run: | | |
| GH_HOST="${GITHUB_SERVER_URL#https://}" | |
| GH_HOST="${GH_HOST#http://}" | |
| export GH_HOST | |
| ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest | |
| env: | |
| GITHUB_SERVER_URL: ${{ github.server_url }} |
Comment on lines
+993
to
+995
| run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest | ||
| env: | ||
| GH_HOST: github.com |
There was a problem hiding this comment.
GH_HOST is hardcoded to github.com in the detection job’s Copilot CLI install, which conflicts with the workflow’s GHES/GHEC compatibility approach (deriving host from GITHUB_SERVER_URL). Consider deriving GH_HOST from github.server_url here as well (or omitting it) to avoid breaking detection runs on non-github.com instances.
Suggested change
| run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest | |
| env: | |
| GH_HOST: github.com | |
| run: | | |
| gh_host="${GITHUB_SERVER_URL#https://}" | |
| gh_host="${gh_host#http://}" | |
| gh_host="${gh_host%%/*}" | |
| GH_HOST="${gh_host}" ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest | |
| env: | |
| GITHUB_SERVER_URL: ${{ github.server_url }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
Dependabot Major Version Reviewerworkflow started failing after Dependabot merged a bump ofgithub/gh-awfrom 0.62.5 to 0.65.0. The v0.65.0 setup action relocated runtime files from/opt/gh-aw/to${RUNNER_TEMP}/gh-aw/, but the lock file was compiled with the old gh-aw CLI (v0.53.4) and still referenced the old hardcoded paths — causing an immediate failure:Changes
dependabot-major-review.lock.yml— recompiled with gh-aw v0.67.0; setup action updated fromgithub/gh-aw/actions/setup@v0.65.0→github/gh-aw-actions/setup@v0.67.0; all runtime paths updated from/opt/gh-aw/→${RUNNER_TEMP}/gh-aw/actions-lock.json— added pinned SHA entry forgithub/gh-aw-actions/setup@v0.67.0