Fix cross-repo activation checkout for event-driven relay workflows by Copilot · Pull Request #20583 · github/gh-aw

Copilot · 2026-03-11T19:59:20Z

The activation job checkout introduced in #20301 used github.event_name == 'workflow_call' && github.action_repository || github.repository to resolve the platform repo. This expression breaks for event-driven relays (on: issue_comment, on: push, etc.) where GitHub propagates the original triggering event through the workflow_call chain — making event_name never 'workflow_call' inside the called workflow, so checkout always targets the caller's repo.

Root cause

GITHUB_WORKFLOW_REF (always set to the executing workflow's owner/repo/.github/workflows/file@ref) is the correct discriminator — unlike event_name, it reflects which workflow is running, not what triggered it.

Changes

resolve_host_repo.cjs (new): actions/github-script script that parses GITHUB_WORKFLOW_REF, extracts the owner/repo prefix, compares against GITHUB_REPOSITORY to detect cross-repo invocations, sets target_repo output, logs the decision, and writes a step summary when cross-repo is detected.
compiler_activation_job.go: Adds generateResolveHostRepoStep() and inserts it before generateCreateAwInfo when a workflow_call trigger is present. Updates generateCheckoutGitHubFolderForActivation() to use the CheckoutManager.SetCrossRepoTargetRepo API. Exposes target_repo: ${{ steps.resolve-host-repo.outputs.target_repo }} as an activation job output so agent and safe_outputs jobs can reference needs.activation.outputs.target_repo. Updates the "Cross-repo setup guidance" failure step condition from github.event_name == 'workflow_call' to steps.resolve-host-repo.outputs.target_repo != github.repository, so the guidance fires correctly for event-driven relays.
checkout_manager.go: Adds crossRepoTargetRepo field with SetCrossRepoTargetRepo / GetCrossRepoTargetRepo methods — the canonical place for downstream jobs to carry the platform repo expression for any checkout step that needs it.
compiler_yaml_main_job.go: Agent job's CheckoutManager now has crossRepoTargetRepo set to ${{ needs.activation.outputs.target_repo }} when a workflow_call trigger is present, propagating the resolved platform repo to any checkout step generated in the agent job.
compiler_yaml.go: Passes GH_AW_INFO_TARGET_REPO: ${{ steps.resolve-host-repo.outputs.target_repo }} into the generate_aw_info env when applicable.
generate_aw_info.cjs: Records target_repo in aw_info.json for observability.
compiler_safe_outputs_job.go: The safe_outputs job now declares activation as a dependency when a workflow_call trigger is present, so needs.activation.outputs.target_repo is resolvable in that job.
safe_outputs_config.go: buildGitHubAppTokenMintStep accepts a new fallbackRepoExpr parameter. When a workflow_call trigger is detected, callers in compiler_safe_outputs_job.go, safe_outputs_jobs.go, and notify_comment.go pass ${{ needs.activation.outputs.target_repo }} so the minted GitHub App token is scoped to the platform (host) repo rather than the caller's repo.
dispatch_workflow.go / compiler_safe_outputs_config.go: Added TargetRepoSlug field to DispatchWorkflowConfig and updated the dispatch_workflow handler builder to emit target-repo. addHandlerManagerConfigEnvVar injects ${{ needs.activation.outputs.target_repo }} (via a safeOutputsWithDispatchTargetRepo helper) when workflow_call is present and no explicit target-repo is configured, ensuring dispatch_workflow targets the host repo rather than the caller's.
Tests: resolve_host_repo.test.cjs covers same-repo, cross-repo, event-driven relay (issue_comment), empty/malformed GITHUB_WORKFLOW_REF, and undefined GITHUB_REPOSITORY. Go tests updated to assert the new step expression and verify the broken event_name-based expression is absent. TestCrossRepoTargetRepo covers the CheckoutManager getter/setter lifecycle. TestActivationJobTargetRepoOutput verifies target_repo appears (or is absent) in activation job outputs for all trigger combinations.

The resulting activation job step sequence for workflow_call triggers:

- name: Resolve host repo for activation checkout
  id: resolve-host-repo
  uses: actions/github-script@...
  with:
    script: |
      # parses GITHUB_WORKFLOW_REF → sets steps.resolve-host-repo.outputs.target_repo

- name: Generate agentic run info
  env:
    GH_AW_INFO_TARGET_REPO: ${{ steps.resolve-host-repo.outputs.target_repo }}
  ...

- name: Cross-repo setup guidance
  if: failure() && steps.resolve-host-repo.outputs.target_repo != github.repository
  # fires for both direct workflow_call and event-driven relay scenarios

- name: Checkout .github and .agents folders
  uses: actions/checkout@...
  with:
    repository: ${{ steps.resolve-host-repo.outputs.target_repo }}  # was broken expression

# Activation job outputs:
outputs:
  target_repo: ${{ steps.resolve-host-repo.outputs.target_repo }}  # available to agent/safe_outputs as needs.activation.outputs.target_repo

For workflow_call triggers, the safe_outputs job also:

Depends on activation (to resolve needs.activation.outputs.target_repo)
Scopes the GitHub App token to the platform repo (not the caller's repo) when no explicit repositories: is configured
Sets target-repo on the dispatch_workflow handler config so workflow dispatch targets the platform repo

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Replace the broken `github.event_name == 'workflow_call' && github.action_repository || github.repository` expression with a proper runtime resolution step using GITHUB_WORKFLOW_REF. - Add resolve_host_repo.cjs: parses GITHUB_WORKFLOW_REF to determine platform repo - Add resolve_host_repo.test.cjs: 9 tests for all relay patterns including event-driven - Update generate_aw_info.cjs: add target_repo field to aw_info.json - Update compiler_activation_job.go: add generateResolveHostRepoStep() and insert before aw_info step for workflow_call triggers - Update compiler_yaml.go: pass GH_AW_INFO_TARGET_REPO when workflow_call trigger present - Update compiler_activation_job_test.go: update workflowCallRepo constant and add tests - Update golden test files to reflect new activation job structure - Recompile all 166 workflow lock files Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot

Pull request overview

Fixes cross-repo activation checkout for event-driven relay workflows by resolving the “host” repository from GITHUB_WORKFLOW_REF (instead of github.event_name) and plumbing that value into checkout and aw_info.json.

Changes:

Add resolve_host_repo.cjs + tests to compute target_repo from GITHUB_WORKFLOW_REF and expose it as a step output.
Update activation-job generation to run a “resolve host repo” step before generate_aw_info, and use its output for .github/.agents checkout.
Pass target_repo into generate_aw_info and record it in aw_info.json; update smoke lock workflow and Go tests accordingly.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
`pkg/workflow/compiler_activation_job.go`	Adds `generateResolveHostRepoStep()` and switches activation checkout to use `steps.resolve-host-repo.outputs.target_repo`.
`pkg/workflow/compiler_yaml.go`	Injects `GH_AW_INFO_TARGET_REPO` into the `generate_aw_info` env for `workflow_call` (non-inlined) workflows.
`pkg/workflow/compiler_activation_job_test.go`	Updates/extends tests to assert the new step output expression is used and the old `event_name` expression is absent.
`actions/setup/js/resolve_host_repo.cjs`	New github-script module that parses `GITHUB_WORKFLOW_REF` and sets `target_repo`.
`actions/setup/js/resolve_host_repo.test.cjs`	Unit tests covering same-repo, cross-repo, relay scenarios, and malformed/empty env inputs.
`actions/setup/js/generate_aw_info.cjs`	Adds `target_repo` field to `aw_info.json` (from `GH_AW_INFO_TARGET_REPO`).
`.github/workflows/smoke-workflow-call.lock.yml`	Updates generated workflow to include the new resolve step, pass env, and use resolved repo for checkout.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Copilot · 2026-03-11T20:43:12Z

pkg/workflow/compiler_activation_job.go

+	// the checkout step. This is necessary for event-driven relays (e.g. on: issue_comment)
+	// where github.event_name is not 'workflow_call', making the previous expression
+	// (github.event_name == 'workflow_call' && github.action_repository || github.repository)
+	// unreliable. GITHUB_WORKFLOW_REF always reflects the executing workflow's repo regardless
+	// of how it was triggered.
+	if hasWorkflowCallTrigger(data.On) && !data.InlinedImports {


The new logic correctly avoids relying on github.event_name == 'workflow_call' for checkout, but the activation job still adds the "Cross-repo setup guidance" step with if: failure() && github.event_name == 'workflow_call' (same file, line 81). For event-driven relays (issue_comment/push → workflow_call chain), that condition will never be true, so the guidance won’t run when it’s most needed. Consider updating the guidance step condition to use the same discriminator as checkout (e.g., GITHUB_WORKFLOW_REF/resolve-host-repo output) or at minimum drop the event_name check so relays are covered.

johnwilliams-12 · 2026-03-11T20:43:15Z

If I'm not mistaken this would fix the issue only for the activation job, but I think the issue will remain for the safe_outputs/dispatch_workflow of the agent job. I think that the gh-aw compiler would also need to: export target_repo from the activation job as a declared job output → add activation to safe_outputs's needs → scope the App token repositories to the platform repo → add target-repo to the dispatch_workflow handler config.

pelikhan · 2026-03-11T20:48:33Z

@copilot the target_repo value needs to be propagated to the other jobs (agent/safe_outputs/...) and use whenever checkout is needed. Update the checkout manager.

johnwilliams-12 · 2026-03-11T20:54:42Z

the target_repo value needs to be propagated to the other jobs (agent/safe_outputs/...) and use whenever checkout is needed. Update the checkout manager.

Agreed that target_repo needs to flow through to agent and safe_outputs, and updating the CheckoutManager is the right structural approach. Worth noting though that the checkout steps are not the only consumers that need to be updated — there are two additional places in safe_outputs that also use github.event.repository.name and will still resolve to the caller repo even after a CheckoutManager fix:

1. The GitHub App token repositories: field

- name: Generate GitHub App token
  uses: actions/create-github-app-token@...
  with:
    repositories: ${{ github.event.repository.name }}  # → caller repo

This token is passed as github-token to every subsequent step in safe_outputs. If it's scoped only to the caller repo, any API call targeting the platform repo (including dispatch_workflow) will 403.

2. The dispatch_workflow handler config

The compiled GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG has no target-repo entry for dispatch_workflow:

{"dispatch_workflow":{"max":1,"workflow_files":{"agentic-worker":".lock.yml"},"workflows":[...]}}

Without a target-repo, safe_output_handler_manager.cjs falls back to github.repository (the caller repo) when dispatching. The worker workflow file doesn't exist there, and the token can't authorise it anyway.

So propagating target_repo and fixing the CheckoutManager is necessary but not sufficient — the App token scoping and the dispatch_workflow handler config need to be updated with the resolved platform repo as well. The CheckoutManager fix alone would correct actions/checkout calls but leave dispatch_workflow still broken.

Per review feedback: add crossRepoTargetRepo to CheckoutManager so the platform (host) repo is accessible wherever checkout is needed. - Add crossRepoTargetRepo field + SetCrossRepoTargetRepo/GetCrossRepoTargetRepo to CheckoutManager - Expose target_repo as activation job output (needs.activation.outputs.target_repo) so agent/safe_outputs jobs can reference it - Use SetCrossRepoTargetRepo in generateCheckoutGitHubFolderForActivation instead of passing raw string - Set crossRepoTargetRepo on agent job's CheckoutManager using needs.activation.outputs.target_repo - Add TestCrossRepoTargetRepo and TestActivationJobTargetRepoOutput tests - Recompile 166 lock files + update golden test files Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-03-11T21:11:55Z

@copilot the target_repo value needs to be propagated to the other jobs (agent/safe_outputs/...) and use whenever checkout is needed. Update the checkout manager.

Done in e449f3f. Changes made:

CheckoutManager updated — added crossRepoTargetRepo field with SetCrossRepoTargetRepo / GetCrossRepoTargetRepo methods. This is the canonical place to carry the platform repo expression for any checkout step that needs it.
Activation job exposes target_repo as an output — target_repo: ${{ steps.resolve-host-repo.outputs.target_repo }} is now in the activation job's outputs map, so downstream jobs can reference needs.activation.outputs.target_repo.
Agent job sets crossRepoTargetRepo on its CheckoutManager — generateMainJobSteps now calls checkoutMgr.SetCrossRepoTargetRepo("${{ needs.activation.outputs.target_repo }}") when a workflow_call trigger is present. Any checkout step generated through that manager (e.g. future .github/.agents sparse checkout) will automatically use the platform repo.
Activation job uses the new API — generateCheckoutGitHubFolderForActivation now calls cm.SetCrossRepoTargetRepo("${{ steps.resolve-host-repo.outputs.target_repo }}") and passes cm.GetCrossRepoTargetRepo() to GenerateGitHubFolderCheckoutStep, instead of hard-coding the expression string.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw g/workflow/actio--norc g/workflow/actio--noprofile x_amd64/link g/wo�� g/workflow/activation_checkout_t-errorsas g/workflow/activation_github_tok-ifaceassert x_amd64/vet rateResolveHostR/bin/sh YG/nd_MPictBenUg-c (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw k/gh-aw/gh-aw/pk--norc k/gh-aw/gh-aw/pk--noprofile x_amd64/compile k/gh�� ct\|activation.*output\|agent.*needs ithub/workflows/smoke-workflow-call.lock.yml x_amd64/vet k/gh-aw/gh-aw/pkgit k/gh-aw/gh-aw/pkrev-parse k/gh-aw/gh-aw/pk--show-toplevel x_amd64/vet (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha graphql -f /usr/bin/git -f owner=github -f git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/gh --local pull.rebase x_amd64/vet /usr/bin/gh (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha k/gh-aw/gh-aw/.github/workflows -buildtags me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } l -ifaceassert -nilfunc bash --no�� k/gh-aw/gh-aw/.github/workflows -tests 86_64/bash l (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha rite '../../../*remote.origin.url .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } /home/REDACTED/worbash /home/REDACTED/wor--norc /home/REDACTED/wor--noprofile kflow.test --no�� 494512/b001/exe/a.out /home/REDACTED/work/gh-aw/gh-aw/pkg/workflow/activation_github_tok-ifaceassert n-dir/bash tHubFolderForActgit pLQ0-P_EQL_F7/djrev-parse (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha graphql -f /usr/bin/gh -f owner=github -f /usr/bin/gh api graphql -f /opt/hostedtoolcache/uv/0.10.9/x86_64/bash -f owner=github -f bash (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linu-f /usr/bin/git se 6766257/b017/vetrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linurev-parse /usr/bin/git se 6766257/b095/vetrev-parse ache/go/1.25.0/x--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha k/gh-aw/gh-aw/.github/workflows g/workflow/actio-buildtags /usr/bin/git pkg/workflow/datgit g/workflow/activrev-parse k/_temp/uv-pytho--show-toplevel git -C k/gh-aw/gh-aw/.github/workflows config ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile remote.origin.urgit --local $name) { has--show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha k/gh-aw/gh-aw/.github/workflows config .cfg l (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git te '../../../**/git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/gh remote.origin.urgit (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl--show-toplevel th .prettierignogit (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/gh -c=4 -nolocalimports -importcfg /usr/bin/gh api k/gh-aw/gh-aw/.github/workflows -f /usr/bin/infocmp l owner=github -f infocmp (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows -f /usr/bin/infocmp -f owner=github -f infocmp -1 k/gh-aw/gh-aw/.github/workflows git ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet get --local $name) { has--show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl--show-toplevel th .prettierignogit (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha ithub/workflows /tmp/go-build2576766257/b053/vet-ifaceassert (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha ../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore --local x_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha ../pkg/workflow/js/**/*.json' ---p --local x_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha te '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore .cfg 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha get --local x_amd64/vet user.email (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha te '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore /home/REDACTED/work/gh-aw/gh-aw/pkg/workflow/compiler_yaml_main_job.go 64/pkg/tool/linux_amd64/vet (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan · 2026-03-11T22:06:30Z

@copilot recompile

pelikhan · 2026-03-11T22:07:11Z

@copilot review comments in #20583 (comment)

Copilot · 2026-03-11T22:11:30Z

@copilot recompile

All 166 lock files were already up to date from the previous commit (e449f3f) — make recompile produced no changes.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

…get-repo, and activation dependency Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-03-11T22:34:30Z

@copilot review comments in #20583 (comment)

Addressed in 69ba76a. Three fixes applied for relay workflow scenarios:

safe_outputs now depends on activation when workflow_call is present, so needs.activation.outputs.target_repo is resolvable in that job.
GitHub App token scoped to platform repo — buildGitHubAppTokenMintStep now accepts a fallbackRepoExpr parameter; all safe_outputs/conclusion callers pass ${{ needs.activation.outputs.target_repo }} when a workflow_call trigger is detected (instead of defaulting to github.event.repository.name).
dispatch_workflow handler config gains target-repo — added TargetRepoSlug to DispatchWorkflowConfig and updated the handler builder to emit target-repo. addHandlerManagerConfigEnvVar now injects the relay target repo via safeOutputsWithDispatchTargetRepo when workflow_call is present and no explicit target-repo is configured by the user.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env -json GO111MODULE n-dir/node GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build401021562/b090/vet.cfg es (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha k/gh-aw/gh-aw/.github/workflows go /usr/bin/git -json GO111MODULE h git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git '**/*.ts' '**/*.git GO111MODULE $name) { has--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha 59aed9d7de0b9cda402fecac:pkg/workflow/notify_comment.go git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git node js/f�� ache/go/1.25.0/x--show-toplevel git /snap/bin/git --show-toplevel go /usr/bin/git git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD ed } } go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 402fecac:.github/workflows/smoke-workflow-call.lock.yml git ndor/bin/git --show-toplevel go /usr/bin/git git _har�� 402fecac:pkg/workflow/mcp_github_config.go git ache/node/24.14.0/x64/bin/node --show-toplevel x_amd64/cgo /usr/bin/git git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha get --local 86_64/bash http.https://gitgrep (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/local/bin/bash data/action_pinsgit (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git --local user.email x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /bin/sh HEAD (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha echo "Syncing install-gh-aw.sh to actions/setup-cli/install.sh..." (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha extensions.objectformat (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git get --local x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git enerateActivatiogit pull.rebase x_amd64/vet git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -ldflags -s -w -X main.version=e449f3f-dirty ache/go/1.25.0/x64/pkg/tool/linux_amd64/cgo gh-aw ./cmd/gh-aw (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha pkg/mod/github.com/stretchr/testify@v1.11.1/assert/assertion_compare.go pkg/mod/github.com/stretchr/testify@v1.11.1/assert/assertion_format.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/link --merged e449f3ff0fed6ffcrev-parse 64/bin/git ache/go/1.25.0/x64/pkg/tool/linux_amd64/link -uns�� 4851624/b001/workflow.test /tmp/go-build401021562/b033/vet.cfg p/bin/bash (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --tags --always ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows config /usr/bin/gh l GOWORK 64/bin/go /usr/bin/gh api k/gh-aw/gh-aw/.github/workflows -f p/bin/bash l owner=github -f git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel 59aed9d7de0b9cda402fecac ache/uv/0.10.9/x86_64/git --show-toplevel sh /usr/bin/git node js/f�� 59aed9d7de0b9cda402fecac:pkg/workflow/mcp_github_config.go git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel node /usr/bin/git node (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha actions/setup-cli/install.sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha xterm-color GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git -C k/gh-aw/gh-aw/.github/workflows rev-parse rgo/bin/bash l GO111MODULE DiscussionsEnabl--show-toplevel infocmp (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel 59aed9d7de0b9cda402fecac /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel sh /usr/bin/git node js/f�� 59aed9d7de0b9cda402fecac:pkg/workflow/dispatch_workflow.go git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel node 86_64/node node (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -json GO111MODULE me: String!) { repository(owne-nilfunc GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel /usr/bin/gh 0/x64/bin/node graphql -f /snap/bin/bash git cjs --show-toplevel bash ache/node/24.14.0/x64/bin/node --noprofile go /usr/bin/git git (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -json GO111MODULE ache/go/1.25.0/xGOMODCACHE ATH/bin:$PATH" ggo GOMOD GOMODCACHE go env run check:pkg-jsGOINSECURE GO111MODULE 8d519d9/node_modGOMODCACHE GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel git /usr/bin/git 402fecac:.githubnode git 0/x64/bin/git git rev-�� --show-toplevel git /usr/bin/git 402fecac:pkg/worgit git ache/node/24.14./home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha -json GO111MODULE tions/setup/nodeGOMODCACHE GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.GOINSECURE GO111MODULE ache/go/1.25.0/xGOMODCACHE GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha --show-toplevel git inPathSetup_GorootOrdering917765801/001/go/1.25.0/x64/bin/go 402fecac:.githubnode git ache/node/24.14.0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git 402fecac:pkg/wor/usr/bin/gh git ache/node/24.14.graphql git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha t-driven-relay-checkout^{commit} (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE erignore env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel go /usr/bin/git ithub/workflows GO111MODULE (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha -json GO111MODULE ache/go/1.25.0/xGOMODCACHE GOINSECURE GOMOD GOMODCACHE go env */*.ts' '**/*.jsGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel git /usr/bin/git 402fecac:pkg/wor/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link git ache/node/24.14.0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git ache/node/24.14.graphql git (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha t-driven-relay-checkout^{commit} (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE erignore env e=false GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel go /usr/bin/git ithub/workflows GO111MODULE /opt/hostedtoolce449f3ff0fed6ffc59aed9d7de0b9cda402fecac:pkg/workflow/compiler_activation_job_test.go git rev-�� --show-toplevel go /usr/bin/git k/gh-aw/gh-aw/.ggit GO111MODULE /usr/bin/gh git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan · 2026-03-11T23:42:42Z

@copilot

do a full review of the changes

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-03-11T23:54:52Z

@copilot

do a full review of the changes...

Reviewed and found one remaining issue: the "Cross-repo setup guidance" step still used if: failure() && github.event_name == 'workflow_call' — the same broken condition that caused the original bug. For event-driven relays (issue_comment → workflow_call), event_name is the triggering event, so the guidance would never fire.

Fixed in c5738f8 by replacing it with steps.resolve-host-repo.outputs.target_repo != github.repository, which correctly detects cross-repo invocations regardless of the triggering event, consistent with the checkout fix.

No other issues found — CI passes, all 166 lock files compile, tests green, lint clean.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .cfg 64/pkg/tool/linuif [ -f .github/aw/actions-lock.json ]; then \ cp .github/aw/actions-lock.json pkg/workflow/data/action_pins.json; \ echo "�� Action pins synced successfully"; \ else \ echo "�� Warning: .github/aw/actions-lock.json does not exist yet" ; \ fi rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git get --local ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .cfg 64/pkg/tool/linulog.showsignature=false git rev-�� --show-toplevel 64/pkg/tool/linu--format=format:%H %ct %D /usr/bin/git get --local ache/go/1.25.0/x--noprofile git (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha se 2082025/b183/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 86_64/bash GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -unreachable=false /tmp/go-build2742082025/b037/vet.cfg 2082025/b335/vet.cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --abbrev-ref HEAD .cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 2082025/b005/vet.cfg .cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 2082025/b090/vet.cfg .cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --verify copilot/fix-event-driven-relay-checkout ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 2082025/b044/vet.cfg .cfg (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --abbrev-ref HEAD .cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --abbrev-ref HEAD .cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git get .cfg ache/go/1.25.0/x--noprofile git rev-�� 'origin' 'origin' /usr/bin/git se 2082025/b043/vet-C ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/gh get --local ache/go/1.25.0/x--noprofile gh api 40\} ature-branch.patch /usr/bin/git se 2082025/b090/vetapi .cfg git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg env g/sliceutil/slicGOINSECURE g/sliceutil/slicGOMOD 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel git /home/REDACTED/.local/bin/node --local user.name .cfg node /opt�� st-repo.*target_repo.*github.repository\|github.event_name.*workflow_call --package-lock-only /usr/bin/git se 2082025/b086/vetapi ache/go/1.25.0/xgraphql git (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg env g/stringutil/ansGOINSECURE g/stringutil/ideGOMOD 64/bin/go GOINSECURE erignore GOMODCACHE ache/go/1.25.0/xGO111MODULE (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan · 2026-03-12T00:21:43Z

@johnwilliams-12 take a peek. I think it's ready for testing.

Initial plan

34dac68

Copilot AI assigned Copilot and pelikhan Mar 11, 2026

Copilot started work on behalf of pelikhan March 11, 2026 19:59 View session

Copilot AI linked an issue Mar 11, 2026 that may be closed by this pull request

Cross-repo activation checkout still broken for event-driven relay workflows after #20301 #20567

Closed

Copilot AI changed the title ~~[WIP] [GH-AW-20301] Fix checkout issue for event-driven relays~~ Fix cross-repo activation checkout for event-driven relay workflows Mar 11, 2026

Copilot finished work on behalf of pelikhan March 11, 2026 20:27

Merge branch 'main' into copilot/fix-event-driven-relay-checkout

df1af5e

pelikhan marked this pull request as ready for review March 11, 2026 20:37

Copilot AI review requested due to automatic review settings March 11, 2026 20:37

Copilot started reviewing on behalf of pelikhan March 11, 2026 20:37 View session

pelikhan approved these changes Mar 11, 2026

View reviewed changes

Copilot AI reviewed Mar 11, 2026

View reviewed changes

Copilot started work on behalf of pelikhan March 11, 2026 20:48 View session

github-actions bot added the ai-inspected label Mar 11, 2026

pelikhan and others added 2 commits March 11, 2026 13:59

Merge branch 'main' into copilot/fix-event-driven-relay-checkout

0ad9c33

Copilot finished work on behalf of pelikhan March 11, 2026 21:13

Copilot started work on behalf of pelikhan March 11, 2026 22:06 View session

Copilot finished work on behalf of pelikhan March 11, 2026 22:12

Copilot started work on behalf of pelikhan March 11, 2026 22:12 View session

Fix safe_outputs for relay workflows: app token scoping, dispatch tar…

69ba76a

…get-repo, and activation dependency Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan March 11, 2026 22:35

Copilot started work on behalf of pelikhan March 11, 2026 23:42 View session

Fix Cross-repo setup guidance step condition for relay workflows

c5738f8

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan March 11, 2026 23:56

Merge branch 'main' into copilot/fix-event-driven-relay-checkout

9666a4b

pelikhan approved these changes Mar 12, 2026

View reviewed changes

pelikhan merged commit 9bc291d into main Mar 12, 2026
51 checks passed

pelikhan deleted the copilot/fix-event-driven-relay-checkout branch March 12, 2026 00:41

This was referenced Mar 12, 2026

[docs] Update documentation for features from 2026-03-12 #20632

Merged

[Daily Report] Daily Status Report — 2026-03-12 #20650

Open

Conversation

Copilot AI commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Root cause

Changes

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

Uh oh!

johnwilliams-12 commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pelikhan commented Mar 11, 2026

Uh oh!

johnwilliams-12 commented Mar 11, 2026

Uh oh!

Copilot AI commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Mar 11, 2026

Uh oh!

pelikhan commented Mar 11, 2026

Uh oh!

Copilot AI commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Mar 11, 2026

Uh oh!

Copilot AI commented Mar 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Mar 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Copilot AI commented Mar 11, 2026 •

edited

Loading

johnwilliams-12 commented Mar 11, 2026 •

edited

Loading

Copilot AI commented Mar 11, 2026 •

edited

Loading

Copilot AI commented Mar 11, 2026 •

edited

Loading

Copilot AI commented Mar 11, 2026 •

edited

Loading

Copilot AI commented Mar 11, 2026 •

edited

Loading