Upgrade gh-aw v0.48.1 → v0.49.0, template safe-output max fields

[Copilot]

Upgrades gh-aw from v0.48.1 to v0.49.0 and wires templated safe-output max inputs where runtime configurability is needed.

What changed

gh-aw version + generated workflow refresh

• Bumped GH_AW_VERSION in Makefile to v0.49.0.
• Updated .github/workflows/agentics-maintenance.yml to use github/gh-aw/actions/setup@v0.49.0.
• Refreshed .github/aw/actions-lock.json with the new setup action pin.
• Recompiled generated lock workflows with the v0.49.0 compiler output, including the pre_activation.outputs.matched_command wiring alignment across regenerated .lock.yml workflows.

Templated safe-output max inputs

Added workflow-call inputs and wired them into safe-output config:

Safe-output	Input	Default	Where wired
create-issue.max	create-issue-max	5	.github/workflows/gh-aw-plan.md
create-pull-request-review-comment.max	create-pull-request-review-comment-max	30	.github/workflows/gh-aw-pr-review.md, .github/workflows/gh-aw-docs-pr-review.md, .github/workflows/gh-aw-mention-in-pr.md, .github/workflows/gh-aw-mention-in-pr-no-sandbox.md, and .github/workflows/gh-aw-fragments/safe-output-review-comment.md
resolve-pull-request-review-thread.max	resolve-pull-request-review-thread-max	10	.github/workflows/gh-aw-mention-in-pr.md, .github/workflows/gh-aw-mention-in-pr-no-sandbox.md, and .github/workflows/gh-aw-fragments/safe-output-resolve-thread.md

draft-prs remains driven by the existing input wiring.

CI trigger script alignment

• Updated scripts/trigger-ci-workflows.sh monitor workflow names by adding Agent Deep Dive and renaming Trigger Agent Efficiency to Agent Efficiency.

• Fixes [gh-aw-upgrade] gh-aw upgrade available: v0.48.1 → v0.49.0 #371

Generated by Update PR Body for issue #376

[coderabbitai]

📝 Walkthrough

Walkthrough

Upgrade gh-aw to v0.49.0 across workflows and lockfiles: updated setup action pins, bumped agent/tool/image versions, refactored prompt-file assembly, added workflow inputs/outputs (matched_command, code_push_failure_count, code_push_failure_errors), and extended safe-outputs configuration and propagation.

Changes

Cohort / File(s)	Summary
Version Lock & Manifest \.github/aw/actions-lock.json, Makefile	Added new setup action entry (github/gh-aw/actions/setup@v0.49.0) to actions-lock; bumped GH_AW_VERSION in Makefile from v0.48.1 → v0.49.0.
Workflow public inputs (docs/md) \.github/workflows/*.md, \.github/workflows/gh-aw-fragments/safe-output-*.md	Added/extended workflow_call inputs: e.g., create-pull-request-review-comment-max, resolve-pull-request-review-thread-max, create-issue-max; parameterized safe-outputs constraints.
Workflow lockfiles — setup & prompt assembly \.github/workflows/.../*.lock.yml (many files, ~43)	Updated setup action pins to v0.49.0; refactored GH_AW_PROMPT assembly from repeated heredoc/appends to brace-wrapped block writes (single final redirection to "$GH_AW_PROMPT").
Workflow lockfiles — outputs & safe-outputs config All affected \.lock.yml files	Added job outputs matched_command (pre_activation/activation) and code_push_failure_count / code_push_failure_errors (safe_outputs); threaded these outputs through failure-handling and safe-outputs flows; added close_older_issues: false / draft fields to safe-outputs handler configs where present.
Workflow lockfiles — version and image bumps All affected \.lock.yml files	Bumped agent_version 0.0.412 → 0.0.414; awmg_version v0.1.4 → v0.1.5; updated mcpg/MCP image tags to v0.1.5; updated Copilot CLI install targets; normalized some numeric envs to strings (e.g., GH_AW_NOOP_MAX: "1").
Scripts scripts/trigger-ci-workflows.sh	Modified MONITORS list: replaced single "Trigger Agent Efficiency" entry with two entries: "Agent Deep Dive" and "Agent Efficiency".

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• [agent-deep-dive] Agent deep dive: gh-aw-duplicate-issue-detector - 2026-02-21 #346 — Agent Deep Dive / duplicate-issue detector touches same workflows; changes here update those lockfiles and prompt assembly referenced by that issue.

Possibly related PRs

• Improve close-older-issues defaults for auditor/detector workflows #358 — Modifies safe-outputs create_issue settings (close_older_issues); strongly related to the safe-outputs config changes in this PR.
• Add draft-prs input to PR-creating workflows; default true for shared, false for triggers #328 — Adds/propagates draft PR configuration; related to the draft fields wired into safe-outputs here.
• Upgrade gh-aw compiler to v0.47.4 with inline prompts #240 — Updated actions-lock.json entries previously; closely related to the actions-lock.json addition in this PR.

Suggested reviewers

• github-actions

Poem

🐇 I hopped through workflows, nibbling old pins,

Braced the prompts, untangled the bins.
Versions bumped, outputs now sing,
Safe outputs snug with a fresh little ring.
Hooray—v0.49.0, let the pipelines spring!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the primary change: upgrading gh-aw to v0.49.0 and templating safe-output max fields.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue #371: upgrades GH_AW_VERSION, updates workflows to v0.49.0, introduces templatable max inputs (create-issue-max, create-pull-request-review-comment-max, resolve-pull-request-review-thread-max), and regenerates lock files.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the upgrade objectives. The only tangential change is the scripts/trigger-ci-workflows.sh update, which reflects workflow name changes introduced by the gh-aw upgrade.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/upgrade-gh-aw-to-v0-49-0-again

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

[LOW] Limitation text no longer matches configurable max

This fragment now makes max configurable via $\{\{ inputs.resolve-pull-request-review-thread-max }}, but the prose below still states a fixed limit of 10 per run. That can mislead reviewers when a caller overrides the default.

Consider wording this as "default is 10" (or referencing the input) so the instructions stay accurate when customized.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/gh-aw-fragments/safe-output-resolve-thread.md:
- Around line 3-4: Update the docs so the "max-per-run" limitation reflects the
configurable input instead of hardcoding 10: change any text in the limitations
section that states "max 10" to reference the input name
resolve-pull-request-review-thread-max and note its default is 10 (e.g.,
"configurable via inputs.resolve-pull-request-review-thread-max, default 10") so
it aligns with the workflow key resolve-pull-request-review-thread and the max
setting max: ${{ inputs.resolve-pull-request-review-thread-max }}.

In @.github/workflows/gh-aw-test-improvement.lock.yml:
- Line 1575: The GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG JSON currently contains
"draft":"${{ inputs.draft-prs }}" which produces a string; update the
safe-output-create-pr.md template so the draft property emits an unquoted
boolean (e.g., draft: ${{ inputs.draft-prs }} or render true/false directly) so
the compiled GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG has draft as a JSON boolean
inside the create_pull_request object; then re-run the compilation step (gh aw
compile) to regenerate the workflows and verify
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG contains draft:false or draft:true (not
quoted).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Find the source .md file corresponding to gh-aw-test-improvement.lock.yml
fd -e md -path "*/workflows/*" | grep -i "test-improvement"

Repository: elastic/ai-github-actions

Length of output: 237

---

🏁 Script executed:

# Search for GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG in .md files
rg "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG" -A 3 -B 3 --type markdown

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Also check all .md files in the workflows directory
find .github/workflows -name "*.md" -type f

Repository: elastic/ai-github-actions

Length of output: 3389

---

🏁 Script executed:

# Search for GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG in all markdown files
rg "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG" -A 2 -B 2

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Also check which .md file corresponds to gh-aw-test-improvement.lock.yml
# List both the potential source and check the lock file timestamp
ls -la .github/workflows/gh-aw-test-improve*.* 2>/dev/null | head -20

Repository: elastic/ai-github-actions

Length of output: 356

---

🏁 Script executed:

# Search for GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG in the source .md file
cat -n .github/workflows/gh-aw-test-improver.md | grep -A 5 -B 5 "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG"

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Also check if there's a gh-aw-test-improvement.md file (exact name match)
cat .github/workflows/gh-aw-test-improvement.md 2>&1 | head -5

Repository: elastic/ai-github-actions

Length of output: 144

---

🏁 Script executed:

# Check the content at line 1575 in the target lock file
sed -n '1570,1580p' .github/workflows/gh-aw-test-improvement.lock.yml

Repository: elastic/ai-github-actions

Length of output: 801

---

🏁 Script executed:

# Search for GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG in gh-aw-test-improver.md
rg "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG" .github/workflows/gh-aw-test-improver.md -A 3 -B 3

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Search more broadly in all .md files for the draft configuration
rg "draft.*inputs\.draft-prs" .github/workflows/

Repository: elastic/ai-github-actions

Length of output: 4204

---

🏁 Script executed:

# Check which .md files reference create_pull_request config
rg "create_pull_request" .github/workflows/ -l

Repository: elastic/ai-github-actions

Length of output: 1922

---

🏁 Script executed:

# Look at the safe-output-create-pr.md fragment since that's likely where the config is defined
cat .github/workflows/gh-aw-fragments/safe-output-create-pr.md

Repository: elastic/ai-github-actions

Length of output: 2240

---

🏁 Script executed:

# Check how the safe-output-create-pr.md fragment is included in the source files that generate lock files
rg "safe-output-create-pr" .github/workflows/*.md

Repository: elastic/ai-github-actions

Length of output: 1232

---

🏁 Script executed:

# Look at the gh-aw-test-improver.md to see how it uses the safe-output-create-pr fragment
cat -n .github/workflows/gh-aw-test-improver.md | head -100

Repository: elastic/ai-github-actions

Length of output: 3862

---

🏁 Script executed:

# Find where the handler code is and check what it expects for the draft field
find . -name "*handler*" -o -name "*safe*output*" | grep -v ".lock.yml" | grep -v node_modules

Repository: elastic/ai-github-actions

Length of output: 625

---

🏁 Script executed:

# Check the full gh-aw-test-improver.md to see if there's any safe-outputs configuration section
cat .github/workflows/gh-aw-test-improver.md | grep -A 20 "safe-outputs:"

Repository: elastic/ai-github-actions

Length of output: 540

---

🏁 Script executed:

# Check the safe outputs validation rules
cat ./scripts/gh-aw-safe-outputs-validation-rules.md

Repository: elastic/ai-github-actions

Length of output: 11335

---

🏁 Script executed:

# Search for where GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG is constructed or how the compilation happens
rg "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG" -B 5 -A 5 .github/workflows/gh-aw-test-improver.md

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Look for any compilation or build scripts
find . -name "*.json" -o -name "*.js" -o -name "*.py" | grep -E "(compile|build|transform)" | head -10

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Look at the safe-output-create-pr.md fragment more carefully
cat -n .github/workflows/gh-aw-fragments/safe-output-create-pr.md

Repository: elastic/ai-github-actions

Length of output: 2457

---

🏁 Script executed:

# Search for any documentation or code about how gh aw compile handles the config
rg "gh aw compile" -A 5 -B 5

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Check if there's a README or docs about the workflow compilation
cat README.md 2>/dev/null | head -200

Repository: elastic/ai-github-actions

Length of output: 2062

---

🏁 Script executed:

# Check if there are any comments or examples in the safe-output-create-pr.md about JSON structure or special syntax
cat .github/workflows/gh-aw-fragments/safe-output-create-pr.md | grep -i "json\|template\|boolean\|syntax" -B 2 -A 2

Repository: elastic/ai-github-actions

Length of output: 965

---

🏁 Script executed:

# Look at other safe-output fragments to see how they handle config values
ls -la .github/workflows/gh-aw-fragments/safe-output-*.md | head -5

Repository: elastic/ai-github-actions

Length of output: 619

---

🏁 Script executed:

# Check the actual handler code in the compiled lock file to understand if it uses draft as a boolean or string
sed -n '1575,1700p' .github/workflows/gh-aw-test-improvement.lock.yml | grep -A 50 "Process Safe Outputs"

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Look at the actual handler code in the gh-aw repository or documentation
# First, let's check what the handler does with the draft field by looking at references in the repo
rg "draft" .github/workflows/gh-aw-fragments/safe-output-create-pr.md -B 5 -A 5

Repository: elastic/ai-github-actions

Length of output: 619

---

🏁 Script executed:

# Let's see how the github-script action receives and parses the GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG
sed -n '1560,1650p' .github/workflows/gh-aw-test-improvement.lock.yml

Repository: elastic/ai-github-actions

Length of output: 1826

---

🏁 Script executed:

# Check if there are other places in the codebase that show how the config is parsed
rg "GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG" -A 20 | head -80

Repository: elastic/ai-github-actions

Length of output: 51

---

Fix the draft field to emit as a JSON boolean instead of a string

The draft field in .github/workflows/gh-aw-fragments/safe-output-create-pr.md is quoted inside the JSON config, producing "draft":"true" or "draft":"false" strings. If the handler expects a boolean, string "false" evaluates as truthy in JavaScript, forcing draft PRs or causing validation errors. Remove the quotes around the variable so it compiles to a boolean:

Fix (apply in safe-output-create-pr.md)

-    draft: ${{ inputs.draft-prs }}
+    draft: ${{ inputs.draft-prs }}

Actually, the issue is in how the compiled config embeds this. The source .md shows draft: ${{ inputs.draft-prs }} unquoted, but during compilation into the JSON string for GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG, it becomes quoted. Update the source to emit the boolean directly in the JSON:

-          GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.base_ref || github.ref_name }}\",\"draft\":\"${{ inputs.draft-prs }}\",\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{}}"
+          GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.base_ref || github.ref_name }}\",\"draft\":${{ inputs.draft-prs }},\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{}}"

This affects multiple workflows. Update the source .md template and re-run gh aw compile.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.base_ref || github.ref_name }}\",\"draft\":\"${{ inputs.draft-prs }}\",\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{}}"
	GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"create_pull_request\":{\"base_branch\":\"${{ github.base_ref || github.ref_name }}\",\"draft\":${{ inputs.draft-prs }},\"max\":1,\"max_patch_size\":1024},\"missing_data\":{},\"missing_tool\":{}}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-test-improvement.lock.yml at line 1575, The
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG JSON currently contains "draft":"${{
inputs.draft-prs }}" which produces a string; update the
safe-output-create-pr.md template so the draft property emits an unquoted
boolean (e.g., draft: ${{ inputs.draft-prs }} or render true/false directly) so
the compiled GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG has draft as a JSON boolean
inside the create_pull_request object; then re-run the compilation step (gh aw
compile) to regenerate the workflows and verify
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG contains draft:false or draft:true (not
quoted).

[github-actions]

Requesting changes: the monitor workflow names in scripts/trigger-ci-workflows.sh should use the exact workflow names so dispatch works reliably.

---

What is this? | From workflow: PR Review

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[github-actions]

[MEDIUM] Monitor workflow names do not match actual workflow names

The monitor list now uses "Agent Deep Dive" and "Agent Efficiency", but the actual workflow names are "Internal: Agent Deep Dive" and "Internal: Agent Efficiency" (see .github/workflows/agent-deep-dive.lock.yml and .github/workflows/agent-efficiency.lock.yml). gh workflow run matches by exact name/ID/filename, so these entries will fail to dispatch.

Suggested change

	"Agent Efficiency"
	"Internal: Agent Deep Dive"
	"Internal: Agent Efficiency"