Upgrade gh-aw to v0.49.4 and disable activation comments on all workflows

[Copilot]

Upgrades gh-aw from v0.49.2 to v0.49.4 and disables activation/fallback comments across gh-aw workflows using activation-comments: false.

What changed

• Updated GH_AW_VERSION in Makefile to v0.49.4.
• Added safe-outputs.activation-comments: false to all .github/workflows/gh-aw-*.md workflow definitions.
  • Where safe-outputs already existed, only the new property was added.
  • Where it was missing, a minimal safe-outputs block was added.
• Recompiled workflow lockfiles with make compile.
• Updated .github/aw/actions-lock.json to include github/gh-aw/actions/setup@v0.49.4.

Why

This picks up the v0.49.3/v0.49.4 improvements called out in the upgrade issue, including the activation-comments option and related gh-aw fixes.

Fixes #386

Generated by Update PR Body for issue #390

Summary by CodeRabbit

• New Features
  • Inline threat-detection added to agent runs, producing detection results, logs, and conditional gating of safe-output processing.
• Chores
  • Upgraded gh‑aw tooling and Copilot CLI versions across workflows.
  • Disabled activation comments by default in safe-outputs.
  • Workflow tool/permission updates to support the new detection flow.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0fa01b7 and fd4d8b1.

📒 Files selected for processing (84)

• .github/aw/actions-lock.json
• .github/workflows/agent-deep-dive.lock.yml
• .github/workflows/agent-efficiency.lock.yml
• .github/workflows/agentics-maintenance.yml
• .github/workflows/downstream-users.lock.yml
• .github/workflows/gh-aw-agent-suggestions.lock.yml
• .github/workflows/gh-aw-branch-actions-detective.lock.yml
• .github/workflows/gh-aw-branch-actions-detective.md
• .github/workflows/gh-aw-breaking-change-detect.lock.yml
• .github/workflows/gh-aw-breaking-change-detector.lock.yml
• .github/workflows/gh-aw-bug-exterminator.lock.yml
• .github/workflows/gh-aw-bug-exterminator.md
• .github/workflows/gh-aw-bug-hunter.lock.yml
• .github/workflows/gh-aw-bug-hunter.md
• .github/workflows/gh-aw-code-duplication-detector.lock.yml
• .github/workflows/gh-aw-code-duplication-fixer.lock.yml
• .github/workflows/gh-aw-code-duplication-fixer.md
• .github/workflows/gh-aw-code-simplifier.lock.yml
• .github/workflows/gh-aw-code-simplifier.md
• .github/workflows/gh-aw-deep-research.lock.yml
• .github/workflows/gh-aw-docs-drift.lock.yml
• .github/workflows/gh-aw-docs-patrol-external.lock.yml
• .github/workflows/gh-aw-docs-patrol.lock.yml
• .github/workflows/gh-aw-docs-pr-review.lock.yml
• .github/workflows/gh-aw-docs-pr-review.md
• .github/workflows/gh-aw-downstream-health.lock.yml
• .github/workflows/gh-aw-downstream-health.md
• .github/workflows/gh-aw-duplicate-issue-detector.lock.yml
• .github/workflows/gh-aw-flaky-test-investigator.lock.yml
• .github/workflows/gh-aw-issue-fixer.lock.yml
• .github/workflows/gh-aw-issue-fixer.md
• .github/workflows/gh-aw-issue-triage.lock.yml
• .github/workflows/gh-aw-issue-triage.md
• .github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml
• .github/workflows/gh-aw-mention-in-issue-no-sandbox.md
• .github/workflows/gh-aw-mention-in-issue.lock.yml
• .github/workflows/gh-aw-mention-in-issue.md
• .github/workflows/gh-aw-mention-in-pr-by-id.lock.yml
• .github/workflows/gh-aw-mention-in-pr-by-id.md
• .github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml
• .github/workflows/gh-aw-mention-in-pr-no-sandbox.md
• .github/workflows/gh-aw-mention-in-pr.lock.yml
• .github/workflows/gh-aw-mention-in-pr.md
• .github/workflows/gh-aw-newbie-contributor-fixer.lock.yml
• .github/workflows/gh-aw-newbie-contributor-fixer.md
• .github/workflows/gh-aw-newbie-contributor-patrol-external.lock.yml
• .github/workflows/gh-aw-newbie-contributor-patrol.lock.yml
• .github/workflows/gh-aw-performance-profiler.lock.yml
• .github/workflows/gh-aw-plan.lock.yml
• .github/workflows/gh-aw-plan.md
• .github/workflows/gh-aw-pr-actions-detective.lock.yml
• .github/workflows/gh-aw-pr-actions-fixer.lock.yml
• .github/workflows/gh-aw-pr-buildkite-detective.lock.yml
• .github/workflows/gh-aw-pr-buildkite-detective.md
• .github/workflows/gh-aw-pr-ci-detective.lock.yml
• .github/workflows/gh-aw-pr-review-addresser.lock.yml
• .github/workflows/gh-aw-pr-review-addresser.md
• .github/workflows/gh-aw-pr-review.lock.yml
• .github/workflows/gh-aw-pr-review.md
• .github/workflows/gh-aw-product-manager-impersonator.lock.yml
• .github/workflows/gh-aw-project-summary.lock.yml
• .github/workflows/gh-aw-refactor-opportunist.lock.yml
• .github/workflows/gh-aw-refactor-opportunist.md
• .github/workflows/gh-aw-release-update.lock.yml
• .github/workflows/gh-aw-release-update.md
• .github/workflows/gh-aw-scheduled-audit.lock.yml
• .github/workflows/gh-aw-scheduled-audit.md
• .github/workflows/gh-aw-scheduled-fix.lock.yml
• .github/workflows/gh-aw-scheduled-fix.md
• .github/workflows/gh-aw-small-problem-fixer.lock.yml
• .github/workflows/gh-aw-small-problem-fixer.md
• .github/workflows/gh-aw-stale-issues.lock.yml
• .github/workflows/gh-aw-test-improvement.lock.yml
• .github/workflows/gh-aw-test-improver.lock.yml
• .github/workflows/gh-aw-test-improver.md
• .github/workflows/gh-aw-text-auditor.lock.yml
• .github/workflows/gh-aw-text-beautifier.lock.yml
• .github/workflows/gh-aw-text-beautifier.md
• .github/workflows/gh-aw-update-pr-body.lock.yml
• .github/workflows/gh-aw-ux-design-patrol.lock.yml
• .github/workflows/upgrade-check.lock.yml
• .github/workflows/workflow-patrol.lock.yml
• CODE_STYLE.md
• Makefile

---

📝 Walkthrough

Walkthrough

This PR updates gh-aw setup pins and related version metadata, adds an inline threat-detection sequence (guard, prepare, run Copilot CLI, parse, upload, conclusion) into agent workflows, exposes detection outputs, and adds safe-outputs activation-comments:false plus quoting/git tweaks across many workflow files and the Makefile.

Changes

Cohort / File(s)	Summary
Lock / Pin Updates Makefile, .github/aw/actions-lock.json	Bumped GH_AW_VERSION and added lock entries for new gh-aw setup SHAs (v0.49.4, v0.50.1 variants).
Agent workflows & locks .github/workflows/*agent*.lock.yml, .github/workflows/*-detective.lock.yml, .github/workflows/*-*fixer.lock.yml, .github/workflows/*-*patrol*.lock.yml, .github/workflows/*-bug-*.lock.yml, .github/workflows/*-hunter.lock.yml, .github/workflows/*-duplication*.lock.yml, .github/workflows/*-plan.lock.yml, .github/workflows/*-pr*.lock.yml, .github/workflows/*-downstream*.lock.yml, .github/workflows/*-performance*.lock.yml, .github/workflows/*-deep-research.lock.yml, .github/workflows/upgrade-check.lock.yml, .github/workflows/workflow-patrol.lock.yml	Replaced gh-aw/actions/setup pins with newer SHAs in many jobs; inlined a conditional threat-detection flow into agent jobs (detection_guard, prepare, run Copilot CLI, parse, upload, detection_conclusion/detection_success outputs); removed or collapsed standalone detection job references; bumped Copilot/agent version strings; added git config am.keepcr true.
Safe-outputs and messaging .github/workflows/*.lock.yml, .github/workflows/*.md	Added activationComments":"false" / activation-comments: false to GH_AW_SAFE_OUTPUT_MESSAGES / safe-outputs across many workflows (payload shape change).
Allow-domains / awf invocations various .lock.yml files	Adjusted quoting for long --allow-domains arguments (single-quoted → double-quoted or wrapped) and in some places broadened/edited domain lists or added --env-all flags.
Documentation / workflow snippets .github/workflows/*.md	Added activation-comments: false config entries to multiple workflow documentation snippets to match lock changes.

Sequence Diagram(s)

sequenceDiagram
  participant GH as GitHub Actions (agent job)
  participant Guard as detection_guard step
  participant Copilot as GitHub Copilot CLI
  participant MCP as MCP / artifact uploader
  participant Conclusion as conclusion/safe_outputs

  GH->>Guard: evaluate outputs (output_types, has_patch)
  Guard-->>GH: run_detection (true/false)
  alt run_detection == true
    GH->>Copilot: prepare files & invoke Copilot CLI (restricted tools/domains)
    Copilot-->>GH: detection results (stdout, artifact)
    GH->>MCP: upload detection log/artifact
    MCP-->>GH: upload result
    GH->>Conclusion: set detection_conclusion & detection_success
  else run_detection == false
    GH->>Conclusion: set detection_conclusion = skipped, detection_success = true
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• [gh-aw-upgrade] gh-aw upgrade available: v0.49.2 → v0.50.0 #397 — Both update gh-aw setup/version pins and workflow adjustments; likely same objective (pin/lock alignment).
• [gh-aw-upgrade] gh-aw upgrade available: v0.49.2 → v0.49.4 #386 — Upgrade issue recommending GH_AW_VERSION update to v0.49.4 and quoting/activation-comments adoption; this PR implements those steps.

Possibly related PRs

• Add branch-actions-detective for failed main CI runs #372 — Overlaps changes to gh-aw-branch-actions-detective; both modify agent/detection workflow logic.
• Add all ecosystem identifiers to network firewall across all workflows #374 — Related to network/allowlist fragments and broader firewall allowlist edits used by the new detection invocations.
• Upgrade gh-aw to v0.49.4 and disable activation comments on all workflows #390 — Touches action pins and lock metadata updates similar to the new entries added to actions-lock.json.

Suggested reviewers

• github-actions

"I hopped through CI with a thrum,
Version pins polished, workflows hum,
Detection sniffed, logs tucked away,
Quiet comments now let rabbits play,
A tiny patch, a cheerful drum." 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: upgrading gh-aw to v0.49.4 and disabling activation comments across workflows.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue #386: upgraded gh-aw to v0.49.4, adopted activation-comments: false across all 45 gh-aw-*.md files, updated GH_AW_VERSION in Makefile, and recompiled all lock files.
Out of Scope Changes check	✅ Passed	All changes are directly related to the upgrade objectives: version bumps, adding activation-comments configuration, updating Makefile, and recompiling workflows. No unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/upgrade-gh-aw-to-v0494

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/gh-aw-performance-profiler.md (1)

67-74: ⚠️ Potential issue | 🔴 Critical

activation-comments: false is placed at the wrong level — should be root-level frontmatter, not nested under safe-outputs:.

The key name is correct (activation-comments, not snake_case or camelCase variants), and it was indeed introduced in gh-aw v0.49.3. However, according to the official gh-aw documentation, this option must appear at the top level of frontmatter, not nested inside the safe-outputs: block.

The configuration should be:

---
activation-comments: false

safe-outputs:
  noop:
  create-issue:
    max: 1
    title-prefix: "[performance-profiler] "
    close-older-issues: false
    expires: 7d
---

Move activation-comments: false to the root level (same indentation as safe-outputs:), not as a child of it.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-performance-profiler.md around lines 67 - 74, Move
the activation-comments setting out from under safe-outputs and place it at the
root frontmatter level: remove activation-comments: false as a child of
safe-outputs and add it as a top-level frontmatter key alongside safe-outputs so
activation-comments and safe-outputs share the same indentation; reference the
existing activation-comments and safe-outputs keys when updating the YAML.

♻️ Duplicate comments (16)

.github/workflows/gh-aw-duplicate-issue-detector.lock.yml (3)

1125-1126: Duplicate activationComments addition.
No additional notes beyond the earlier approval.

Also applies to: 1291-1292

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-duplicate-issue-detector.lock.yml around lines 1125
- 1126, Duplicate setting for activationComments is present in
GH_AW_SAFE_OUTPUT_MESSAGES (and repeated at the block with GH_AW_GROUP_REPORTS)
— remove the redundant activationComments insertion so the JSON value for
GH_AW_SAFE_OUTPUT_MESSAGES appears only once; locate the occurrences referencing
GH_AW_SAFE_OUTPUT_MESSAGES and GH_AW_GROUP_REPORTS and delete the duplicate line
that adds "activationComments":"false" (or consolidate to a single definition),
ensuring the remaining GH_AW_SAFE_OUTPUT_MESSAGES value is valid JSON and not
repeated.

---

901-902: Duplicate awf --env-all change — please apply the same verification.

gh-aw awf --env-all flag meaning and recommended usage

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-duplicate-issue-detector.lock.yml around lines 901 -
902, This duplicate invocation of the awf --env-all command (the line starting
with "sudo -E awf --env-all") needs the same verification applied as the other
occurrence: ensure the same whitelist (--allow-domains list), proxy/log flags,
and the downstream copilot invocation (/usr/local/bin/copilot --add-dir ...
--prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)") are present and validated;
update this block so it matches the previously verified awf usage (same flags,
domains, --enable-host-access, --enable-api-proxy, and logging options) and add
the same comment or CI check that confirms the --env-all implications have been
reviewed.

---

101-103: Same setup action bump as other workflows.
No additional notes beyond the earlier approval.

Also applies to: 496-498, 1073-1075, 1164-1166, 1260-1262, 1303-1305

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-duplicate-issue-detector.lock.yml around lines 101 -
103, Update the setup action reference to match the approved bump used in the
other workflows by replacing the current uses string "uses:
github/gh-aw/actions/setup@bf34f9947505c887fdc597a13b8ff277cccd9c20" with the
same tag/commit hash that was applied elsewhere, keeping the "with: destination:
/opt/gh-aw/actions" block unchanged; ensure you make the identical change for
all other occurrences of that uses line so every workflow is consistent.

.github/workflows/gh-aw-project-summary.lock.yml (3)

102-104: Same setup action bump as other workflows.
No additional notes beyond the earlier approval.

Also applies to: 503-505, 1170-1172, 1261-1263, 1357-1359, 1399-1401

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-project-summary.lock.yml around lines 102 - 104,
Multiple workflow steps use an older pin for the GitHub action
github/gh-aw/actions/setup@bf34f9947505c887fdc597a13b8ff277cccd9c20; update each
occurrence (the "uses: github/gh-aw/actions/setup@..." entries) to the same
newer version/commit used in the other workflows so all setups are consistent
across the file (apply the same update to the other occurrences mentioned: the
duplicate blocks near the listed ranges).

---

1222-1223: Duplicate activationComments addition.
No additional notes beyond the earlier approval.

Also applies to: 1387-1388

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-project-summary.lock.yml around lines 1222 - 1223,
The GH_AW_SAFE_OUTPUT_MESSAGES environment entry includes a duplicated
activationComments field; locate the GH_AW_SAFE_OUTPUT_MESSAGES definition (the
string containing "footer" and "activationComments") and remove the duplicate
"activationComments" insertion so the JSON value only defines activationComments
once (ensure the remaining one uses the intended value), and likewise remove the
repeated instance at the other occurrence referenced (the second
GH_AW_SAFE_OUTPUT_MESSAGES block around the other occurrence) to avoid
conflicting/duplicate keys.

---

999-1000: Duplicate awf --env-all change — please apply the same verification.

gh-aw awf --env-all flag meaning and recommended usage

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-project-summary.lock.yml around lines 999 - 1000,
The PR introduced a duplicate change to the awf invocation: locate all uses of
the awf command with the --env-all flag (search for the token "awf --env-all")
and make the same verification/update consistently for each occurrence — ensure
each awf invocation includes the same allow/deny flags, domains list, proxy/log
args and the same sandbox options as in the shown invocation so behavior is
consistent; update any mismatched invocations (or add missing verification
steps) to match the canonical invocation (the one that includes --allow-domains,
--log-level, --proxy-logs-dir, --enable-host-access, --image-tag, --skip-pull,
--enable-api-proxy, etc.).

.github/workflows/gh-aw-breaking-change-detector.lock.yml (3)

1234-1235: Duplicate activationComments addition.
No additional notes beyond the earlier approval.

Also applies to: 1399-1400

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-breaking-change-detector.lock.yml around lines 1234
- 1235, The GH_AW_SAFE_OUTPUT_MESSAGES environment value contains a duplicated
activationComments property; locate the GH_AW_SAFE_OUTPUT_MESSAGES assignment
and remove the redundant activationComments entry so the JSON string only sets
"activationComments" once (keep the intended default value expression ${ {
inputs.messages-footer ... } } intact), ensuring GH_AW_SAFE_OUTPUT_MESSAGES and
GH_AW_GROUP_REPORTS remain unchanged.

---

1011-1012: Duplicate awf --env-all change — please apply the same verification.

gh-aw awf --env-all flag meaning and recommended usage

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-breaking-change-detector.lock.yml around lines 1011
- 1012, The workflow duplicates a change to the awf invocation using the
--env-all flag; update the duplicated sudo -E awf --env-all ... invocation so it
includes the same verification logic/flags as the other occurrence(s) (ensure
the awf command and its downstream copilot run use identical flags and
verification steps), and/or consolidate both usages to a single canonical
invocation of awf --env-all (referencing the exact command string "sudo -E awf
--env-all --container-workdir \"${GITHUB_WORKSPACE}\" ... --enable-api-proxy \\"
and the subsequent "/usr/local/bin/copilot --add-dir ..." call) so the same
recommended verification and flag semantics are applied consistently across the
workflow.

---

102-104: Same setup action bump as other workflows.
No additional notes beyond the earlier approval.

Also applies to: 515-517, 1182-1184, 1273-1275, 1369-1371, 1411-1413

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-breaking-change-detector.lock.yml around lines 102 -
104, Update the GitHub Action "uses" reference for the gh-aw setup action so it
matches the same bumped ref used in other workflows: replace the current "uses:
github/gh-aw/actions/setup@bf34f9947505c887fdc597a13b8ff277cccd9c20" entries
with the identical action ref used elsewhere, keeping the "with: destination:
/opt/gh-aw/actions" block unchanged; apply this same change to the other
occurrences noted (the other uses lines in the file).

.github/workflows/gh-aw-agent-suggestions.lock.yml (1)

1384-1387: Same activation-comments update as above.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-agent-suggestions.lock.yml around lines 1384 - 1387,
The GH_AW_SAFE_OUTPUT_MESSAGES entry currently hardcodes
"activationComments":"false" (inside the GH_AW_SAFE_OUTPUT_MESSAGES string) and
this duplicates the previous activation-comments update; update
GH_AW_SAFE_OUTPUT_MESSAGES to use the inputs activation-comments value like the
other entries (e.g., read inputs.activation-comments or
inputs['activation-comments']), replacing the hardcoded "false" so
activationComments follows the workflow input and avoids duplication; target the
GH_AW_SAFE_OUTPUT_MESSAGES environment variable string in the workflow where
GH_AW_ENGINE_ID/GH_AW_ENGINE_MODEL are set.

.github/workflows/gh-aw-code-simplifier.lock.yml (1)

1459-1462: Same activation-comments update as above.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-code-simplifier.lock.yml around lines 1459 - 1462,
This is a duplicate of the earlier activation-comments change: update the
GH_AW_SAFE_OUTPUT_MESSAGES JSON so its "activationComments" property matches the
earlier update (the same boolean/string value used previously), ensuring
GH_AW_SAFE_OUTPUT_MESSAGES contains the identical activationComments value as
the other occurrences; edit the GH_AW_SAFE_OUTPUT_MESSAGES entry (referenced
alongside GH_AW_ENGINE_ID and GH_AW_WORKFLOW_ID) to remove the duplicate
mismatch.

.github/workflows/gh-aw-pr-ci-detective.lock.yml (1)

1286-1289: Same activation-comments update as above.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-pr-ci-detective.lock.yml around lines 1286 - 1289,
Replace the hardcoded "activationComments":"false" inside the
GH_AW_SAFE_OUTPUT_MESSAGES JSON with the workflow input so it can be overridden;
update the GH_AW_SAFE_OUTPUT_MESSAGES value to use interpolation like
"activationComments":"${{ inputs.activation-comments || 'false' }}" (keep
existing escaping/quoting) so the activationComments behavior can be controlled
via the inputs, referencing GH_AW_SAFE_OUTPUT_MESSAGES and the
inputs.activation-comments variable.

.github/workflows/gh-aw-release-update.lock.yml (2)

1254-1254: activationComments:"false" string value — see same concern raised in gh-aw-product-manager-impersonator.lock.yml.

Also applies to: 1435-1435

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-release-update.lock.yml at line 1254, The env var
GH_AW_SAFE_OUTPUT_MESSAGES embeds JSON where activationComments is the string
"false" — change it to a boolean false so the consumer gets a proper boolean.
Edit the GH_AW_SAFE_OUTPUT_MESSAGES value and replace activationComments:"false"
with activationComments:false (preserving surrounding escaping/quoting in the
YAML string), affecting the entries at the same pattern (e.g., the other
occurrence noted around line 1435) so both produce a boolean false rather than a
string.

---

1017-1018: --env-all flag — see same concern raised in gh-aw-product-manager-impersonator.lock.yml.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-release-update.lock.yml around lines 1017 - 1018,
The command is using the insecure --env-all flag with the awf invocation;
replace it by removing --env-all and explicitly whitelist only needed
environment variables (e.g., pass an --env-file or individual --env NAME=VALUE
flags) to avoid leaking secrets. Edit the awf invocation that currently contains
"--env-all" (and related awf flags) to use a safe alternative (explicit --env or
--env-file) and ensure the copilot subprocess still receives required vars via
that file or explicit flags; keep other flags (--allow-domains,
--enable-host-access, etc.) unchanged. Ensure the change mirrors the same fix
applied in the other workflow (the one raising the same concern) so both
workflows use explicit env whitelisting instead of --env-all.

.github/workflows/gh-aw-deep-research.lock.yml (2)

896-897: --env-all flag — see same concern raised in gh-aw-product-manager-impersonator.lock.yml.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-deep-research.lock.yml around lines 896 - 897,
Remove the insecure --env-all flag from the awf invocation and instead
explicitly pass only the required environment variables (or use awf's --env
<NAME>=<VALUE> / --env-file options) so secrets and host environment variables
are not exposed; locate the awf call (the shell command containing "sudo -E awf
... --env-all ... -- /bin/bash -c '... gemini ...'") and replace --env-all with
explicit --env/--env-file entries or a minimal safe list of variables needed for
the job, matching the same remediation used for
gh-aw-product-manager-impersonator.lock.yml.

---

1085-1085: activationComments:"false" string value — see same concern raised in gh-aw-product-manager-impersonator.lock.yml.

Also applies to: 1265-1265

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-deep-research.lock.yml at line 1085,
GH_AW_SAFE_OUTPUT_MESSAGES currently embeds activationComments as the string
"false" which must be a boolean false in the JSON payload; update the env value
so activationComments is unquoted (activationComments:false) inside the
GH_AW_SAFE_OUTPUT_MESSAGES JSON string (and fix the duplicate occurrence around
the other instance) so the consumer receives a real boolean instead of a string;
locate the GH_AW_SAFE_OUTPUT_MESSAGES assignment and replace
activationComments:"false" with activationComments:false in both occurrences.

🧹 Nitpick comments (1)

.github/workflows/agentics-maintenance.yml (1)

52-52: Version bump looks correct; note the unpinned action reference.

The bump from v0.49.2 → v0.49.4 matches the PR objective. However, unlike the other three uses: steps in this file — which all pin actions/github-script to a full commit SHA — github/gh-aw/actions/setup is only pinned to a mutable version tag. A compromised or force-pushed tag could silently swap the setup scripts loaded into /opt/gh-aw/actions and affect every downstream script step.

Since this is an auto-generated file, the pinning strategy is owned by the generator (pkg/workflow/maintenance_workflow.go). Consider updating the generator to emit a SHA-pinned reference alongside the human-readable tag comment, consistent with how actions/github-script is referenced:

-        uses: github/gh-aw/actions/setup@v0.49.4
+        uses: github/gh-aw/actions/setup@<SHA> # v0.49.4

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/agentics-maintenance.yml at line 52, The workflow step
uses the mutable tag "github/gh-aw/actions/setup@v0.49.4" which is unpinned and
risks supply-chain tampering; update the workflow generator
(pkg/workflow/maintenance_workflow.go) to emit a SHA-pinned reference for
github/gh-aw/actions/setup (e.g., include the full commit SHA alongside the
human-readable tag) the same way actions/github-script is currently emitted, so
the generated file writes a fixed "uses:" value with the commit SHA while
optionally leaving the tag as a comment for readability.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/gh-aw-bug-exterminator.lock.yml:
- Around line 1059-1060: The workflow is using awf with the broad --env-all
flag; update the workflow to either (A) document exactly which dynamic tool env
vars are required (Go/Python/Node/Ruby/uv) and add an inline comment near the
awf invocation listing those variables and why --env-all is needed, or (B)
replace --env-all with a minimal curated allowlist (use awf's allowlist option
or equivalent) that exposes only the specific environment variables and paths
required by awf and the /usr/local/bin/copilot invocation (reference the awf
command and the copilot --add-dir/--prompt usage), and ensure any
domain/host-access flags (--allow-domains, --enable-host-access) are reviewed
and reduced if possible; implement the chosen change and update workflow docs to
explain the rationale.

In @.github/workflows/gh-aw-bug-hunter.lock.yml:
- Around line 1009-1010: The workflow exposes all runner environment variables
via the awf flag "--env-all" in the sudo -E awf invocation; replace it with a
minimal explicit allowlist (e.g., remove "--env-all" and add only the needed
environment keys via awf's per-variable flags or an env-file) or
document/justify why full exposure is required; locate the command containing
"sudo -E awf --env-all" and change to explicit --env <VAR> entries (or an
env-file/allowlist mechanism supported by awf) to follow least-privilege
practices.

In @.github/workflows/gh-aw-docs-patrol.lock.yml:
- Line 1240: Remove the invalid activationComments property from the
GH_AW_SAFE_OUTPUT_MESSAGES environment variable (the variable
GH_AW_SAFE_OUTPUT_MESSAGES should only contain message templates such as footer)
and instead set the activation-comments control via the workflow frontmatter or
inputs (use frontmatter flag activation-comments: false or the workflow input
safe-outputs.messages.append-only-comments: true) so the safe-output handler
receives only templates and activation behavior is controlled by the proper
flags.

In @.github/workflows/gh-aw-plan.lock.yml:
- Around line 975-976: The awf invocation currently uses the --env-all flag
which exports all runner environment variables (including secrets) into the
container; remove --env-all from the awf command and instead explicitly pass
only the required variables (e.g., via awf's per-variable env flags or by adding
an explicit env block) or, if keeping --env-all is absolutely required, add a
brief justification comment in the workflow explaining exactly which consumed
secrets/vars necessitate it and why they cannot be passed explicitly; locate the
awf invocation line containing the --env-all flag to make this change.

In @.github/workflows/gh-aw-pr-actions-fixer.lock.yml:
- Around line 1071-1072: The awf invocation currently uses the unsafe flag
--env-all which may leak secrets when running the agentic tool (see the awf
command line containing --env-all and the nested /usr/local/bin/copilot
invocation); replace --env-all with explicit -e KEY=VALUE arguments for only the
variables the workflow actually needs (e.g., GITHUB_WORKSPACE, GITHUB_REF,
GITHUB_SHA, HOME, and any specific tokens or config vars you intend to expose)
and remove any broad environment exposure, ensuring the awf call and its flags
(the awf --env-all occurrence) are updated to pass only those -e pairs.

In @.github/workflows/gh-aw-product-manager-impersonator.lock.yml:
- Around line 995-996: The awf invocation in the compiled command includes the
--env-all flag (see the awf command and the --env-all token), which may have
been injected by gh aw compile in AWF v0.49.4; investigate whether gh aw compile
/ AWF v0.49.4 intentionally defaults to --env-all by reproducing a compile with
that AWF version and checking release notes/changelog, confirm whether there is
an opt-out (e.g., a compile flag or config to prevent --env-all) or if upgrading
AWF removes it, and if it is intentional add documentation in the workflow repo
about the security trade-off and apply mitigations (remove/override --env-all,
enforce scrub/mask of secrets, tighten file permissions for
/tmp/awf-*/docker-compose.yml or avoid writing secrets in plaintext) while
referencing the exact invocation that includes --env-all and the copilot wrapper
invocation for verification.

In @.github/workflows/gh-aw-refactor-opportunist.lock.yml:
- Around line 1256-1257: The JSON string assigned to GH_AW_SAFE_OUTPUT_MESSAGES
contains activationComments as a string ("false") but it should be a boolean;
update the GH_AW_SAFE_OUTPUT_MESSAGES value(s) where activationComments appears
(both occurrences) to use activationComments:false (remove the surrounding
quotes) so the payload sends a boolean rather than a string.

In @.github/workflows/gh-aw-text-auditor.lock.yml:
- Line 1309: The GH_AW_SAFE_OUTPUT_MESSAGES environment variable contains an
invalid "activationComments" property; remove the `"activationComments":"false"`
entry from the GH_AW_SAFE_OUTPUT_MESSAGES JSON value (the environment variable
named GH_AW_SAFE_OUTPUT_MESSAGES) so the JSON only includes valid
safe-output-messages keys (run-started, run-success, run-failure, footer); apply
this removal to all workflow files that set GH_AW_SAFE_OUTPUT_MESSAGES to
consolidate the fix.

---

Outside diff comments:
In @.github/workflows/gh-aw-performance-profiler.md:
- Around line 67-74: Move the activation-comments setting out from under
safe-outputs and place it at the root frontmatter level: remove
activation-comments: false as a child of safe-outputs and add it as a top-level
frontmatter key alongside safe-outputs so activation-comments and safe-outputs
share the same indentation; reference the existing activation-comments and
safe-outputs keys when updating the YAML.

---

Duplicate comments:
In @.github/workflows/gh-aw-agent-suggestions.lock.yml:
- Around line 1384-1387: The GH_AW_SAFE_OUTPUT_MESSAGES entry currently
hardcodes "activationComments":"false" (inside the GH_AW_SAFE_OUTPUT_MESSAGES
string) and this duplicates the previous activation-comments update; update
GH_AW_SAFE_OUTPUT_MESSAGES to use the inputs activation-comments value like the
other entries (e.g., read inputs.activation-comments or
inputs['activation-comments']), replacing the hardcoded "false" so
activationComments follows the workflow input and avoids duplication; target the
GH_AW_SAFE_OUTPUT_MESSAGES environment variable string in the workflow where
GH_AW_ENGINE_ID/GH_AW_ENGINE_MODEL are set.

In @.github/workflows/gh-aw-breaking-change-detector.lock.yml:
- Around line 1234-1235: The GH_AW_SAFE_OUTPUT_MESSAGES environment value
contains a duplicated activationComments property; locate the
GH_AW_SAFE_OUTPUT_MESSAGES assignment and remove the redundant
activationComments entry so the JSON string only sets "activationComments" once
(keep the intended default value expression ${ { inputs.messages-footer ... } }
intact), ensuring GH_AW_SAFE_OUTPUT_MESSAGES and GH_AW_GROUP_REPORTS remain
unchanged.
- Around line 1011-1012: The workflow duplicates a change to the awf invocation
using the --env-all flag; update the duplicated sudo -E awf --env-all ...
invocation so it includes the same verification logic/flags as the other
occurrence(s) (ensure the awf command and its downstream copilot run use
identical flags and verification steps), and/or consolidate both usages to a
single canonical invocation of awf --env-all (referencing the exact command
string "sudo -E awf --env-all --container-workdir \"${GITHUB_WORKSPACE}\" ...
--enable-api-proxy \\" and the subsequent "/usr/local/bin/copilot --add-dir ..."
call) so the same recommended verification and flag semantics are applied
consistently across the workflow.
- Around line 102-104: Update the GitHub Action "uses" reference for the gh-aw
setup action so it matches the same bumped ref used in other workflows: replace
the current "uses:
github/gh-aw/actions/setup@bf34f9947505c887fdc597a13b8ff277cccd9c20" entries
with the identical action ref used elsewhere, keeping the "with: destination:
/opt/gh-aw/actions" block unchanged; apply this same change to the other
occurrences noted (the other uses lines in the file).

In @.github/workflows/gh-aw-code-simplifier.lock.yml:
- Around line 1459-1462: This is a duplicate of the earlier activation-comments
change: update the GH_AW_SAFE_OUTPUT_MESSAGES JSON so its "activationComments"
property matches the earlier update (the same boolean/string value used
previously), ensuring GH_AW_SAFE_OUTPUT_MESSAGES contains the identical
activationComments value as the other occurrences; edit the
GH_AW_SAFE_OUTPUT_MESSAGES entry (referenced alongside GH_AW_ENGINE_ID and
GH_AW_WORKFLOW_ID) to remove the duplicate mismatch.

In @.github/workflows/gh-aw-deep-research.lock.yml:
- Around line 896-897: Remove the insecure --env-all flag from the awf
invocation and instead explicitly pass only the required environment variables
(or use awf's --env <NAME>=<VALUE> / --env-file options) so secrets and host
environment variables are not exposed; locate the awf call (the shell command
containing "sudo -E awf ... --env-all ... -- /bin/bash -c '... gemini ...'") and
replace --env-all with explicit --env/--env-file entries or a minimal safe list
of variables needed for the job, matching the same remediation used for
gh-aw-product-manager-impersonator.lock.yml.
- Line 1085: GH_AW_SAFE_OUTPUT_MESSAGES currently embeds activationComments as
the string "false" which must be a boolean false in the JSON payload; update the
env value so activationComments is unquoted (activationComments:false) inside
the GH_AW_SAFE_OUTPUT_MESSAGES JSON string (and fix the duplicate occurrence
around the other instance) so the consumer receives a real boolean instead of a
string; locate the GH_AW_SAFE_OUTPUT_MESSAGES assignment and replace
activationComments:"false" with activationComments:false in both occurrences.

In @.github/workflows/gh-aw-duplicate-issue-detector.lock.yml:
- Around line 1125-1126: Duplicate setting for activationComments is present in
GH_AW_SAFE_OUTPUT_MESSAGES (and repeated at the block with GH_AW_GROUP_REPORTS)
— remove the redundant activationComments insertion so the JSON value for
GH_AW_SAFE_OUTPUT_MESSAGES appears only once; locate the occurrences referencing
GH_AW_SAFE_OUTPUT_MESSAGES and GH_AW_GROUP_REPORTS and delete the duplicate line
that adds "activationComments":"false" (or consolidate to a single definition),
ensuring the remaining GH_AW_SAFE_OUTPUT_MESSAGES value is valid JSON and not
repeated.
- Around line 901-902: This duplicate invocation of the awf --env-all command
(the line starting with "sudo -E awf --env-all") needs the same verification
applied as the other occurrence: ensure the same whitelist (--allow-domains
list), proxy/log flags, and the downstream copilot invocation
(/usr/local/bin/copilot --add-dir ... --prompt "$(cat
/tmp/gh-aw/aw-prompts/prompt.txt)") are present and validated; update this block
so it matches the previously verified awf usage (same flags, domains,
--enable-host-access, --enable-api-proxy, and logging options) and add the same
comment or CI check that confirms the --env-all implications have been reviewed.
- Around line 101-103: Update the setup action reference to match the approved
bump used in the other workflows by replacing the current uses string "uses:
github/gh-aw/actions/setup@bf34f9947505c887fdc597a13b8ff277cccd9c20" with the
same tag/commit hash that was applied elsewhere, keeping the "with: destination:
/opt/gh-aw/actions" block unchanged; ensure you make the identical change for
all other occurrences of that uses line so every workflow is consistent.

In @.github/workflows/gh-aw-pr-ci-detective.lock.yml:
- Around line 1286-1289: Replace the hardcoded "activationComments":"false"
inside the GH_AW_SAFE_OUTPUT_MESSAGES JSON with the workflow input so it can be
overridden; update the GH_AW_SAFE_OUTPUT_MESSAGES value to use interpolation
like "activationComments":"${{ inputs.activation-comments || 'false' }}" (keep
existing escaping/quoting) so the activationComments behavior can be controlled
via the inputs, referencing GH_AW_SAFE_OUTPUT_MESSAGES and the
inputs.activation-comments variable.

In @.github/workflows/gh-aw-project-summary.lock.yml:
- Around line 102-104: Multiple workflow steps use an older pin for the GitHub
action github/gh-aw/actions/setup@bf34f9947505c887fdc597a13b8ff277cccd9c20;
update each occurrence (the "uses: github/gh-aw/actions/setup@..." entries) to
the same newer version/commit used in the other workflows so all setups are
consistent across the file (apply the same update to the other occurrences
mentioned: the duplicate blocks near the listed ranges).
- Around line 1222-1223: The GH_AW_SAFE_OUTPUT_MESSAGES environment entry
includes a duplicated activationComments field; locate the
GH_AW_SAFE_OUTPUT_MESSAGES definition (the string containing "footer" and
"activationComments") and remove the duplicate "activationComments" insertion so
the JSON value only defines activationComments once (ensure the remaining one
uses the intended value), and likewise remove the repeated instance at the other
occurrence referenced (the second GH_AW_SAFE_OUTPUT_MESSAGES block around the
other occurrence) to avoid conflicting/duplicate keys.
- Around line 999-1000: The PR introduced a duplicate change to the awf
invocation: locate all uses of the awf command with the --env-all flag (search
for the token "awf --env-all") and make the same verification/update
consistently for each occurrence — ensure each awf invocation includes the same
allow/deny flags, domains list, proxy/log args and the same sandbox options as
in the shown invocation so behavior is consistent; update any mismatched
invocations (or add missing verification steps) to match the canonical
invocation (the one that includes --allow-domains, --log-level,
--proxy-logs-dir, --enable-host-access, --image-tag, --skip-pull,
--enable-api-proxy, etc.).

In @.github/workflows/gh-aw-release-update.lock.yml:
- Line 1254: The env var GH_AW_SAFE_OUTPUT_MESSAGES embeds JSON where
activationComments is the string "false" — change it to a boolean false so the
consumer gets a proper boolean. Edit the GH_AW_SAFE_OUTPUT_MESSAGES value and
replace activationComments:"false" with activationComments:false (preserving
surrounding escaping/quoting in the YAML string), affecting the entries at the
same pattern (e.g., the other occurrence noted around line 1435) so both produce
a boolean false rather than a string.
- Around line 1017-1018: The command is using the insecure --env-all flag with
the awf invocation; replace it by removing --env-all and explicitly whitelist
only needed environment variables (e.g., pass an --env-file or individual --env
NAME=VALUE flags) to avoid leaking secrets. Edit the awf invocation that
currently contains "--env-all" (and related awf flags) to use a safe alternative
(explicit --env or --env-file) and ensure the copilot subprocess still receives
required vars via that file or explicit flags; keep other flags
(--allow-domains, --enable-host-access, etc.) unchanged. Ensure the change
mirrors the same fix applied in the other workflow (the one raising the same
concern) so both workflows use explicit env whitelisting instead of --env-all.

---

Nitpick comments:
In @.github/workflows/agentics-maintenance.yml:
- Line 52: The workflow step uses the mutable tag
"github/gh-aw/actions/setup@v0.49.4" which is unpinned and risks supply-chain
tampering; update the workflow generator (pkg/workflow/maintenance_workflow.go)
to emit a SHA-pinned reference for github/gh-aw/actions/setup (e.g., include the
full commit SHA alongside the human-readable tag) the same way
actions/github-script is currently emitted, so the generated file writes a fixed
"uses:" value with the commit SHA while optionally leaving the tag as a comment
for readability.

---

ℹ️ Review info

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between caf5c04 and 0fa01b7.

📒 Files selected for processing (102)

• .github/aw/actions-lock.json
• .github/workflows/agent-deep-dive.lock.yml
• .github/workflows/agent-efficiency.lock.yml
• .github/workflows/agentics-maintenance.yml
• .github/workflows/downstream-users.lock.yml
• .github/workflows/gh-aw-agent-suggestions.lock.yml
• .github/workflows/gh-aw-agent-suggestions.md
• .github/workflows/gh-aw-branch-actions-detective.lock.yml
• .github/workflows/gh-aw-branch-actions-detective.md
• .github/workflows/gh-aw-breaking-change-detect.lock.yml
• .github/workflows/gh-aw-breaking-change-detector.lock.yml
• .github/workflows/gh-aw-breaking-change-detector.md
• .github/workflows/gh-aw-bug-exterminator.lock.yml
• .github/workflows/gh-aw-bug-exterminator.md
• .github/workflows/gh-aw-bug-hunter.lock.yml
• .github/workflows/gh-aw-bug-hunter.md
• .github/workflows/gh-aw-code-duplication-detector.lock.yml
• .github/workflows/gh-aw-code-duplication-detector.md
• .github/workflows/gh-aw-code-duplication-fixer.lock.yml
• .github/workflows/gh-aw-code-duplication-fixer.md
• .github/workflows/gh-aw-code-simplifier.lock.yml
• .github/workflows/gh-aw-code-simplifier.md
• .github/workflows/gh-aw-deep-research.lock.yml
• .github/workflows/gh-aw-deep-research.md
• .github/workflows/gh-aw-docs-drift.lock.yml
• .github/workflows/gh-aw-docs-patrol-external.lock.yml
• .github/workflows/gh-aw-docs-patrol-external.md
• .github/workflows/gh-aw-docs-patrol.lock.yml
• .github/workflows/gh-aw-docs-patrol.md
• .github/workflows/gh-aw-docs-pr-review.lock.yml
• .github/workflows/gh-aw-docs-pr-review.md
• .github/workflows/gh-aw-downstream-health.lock.yml
• .github/workflows/gh-aw-downstream-health.md
• .github/workflows/gh-aw-duplicate-issue-detector.lock.yml
• .github/workflows/gh-aw-duplicate-issue-detector.md
• .github/workflows/gh-aw-flaky-test-investigator.lock.yml
• .github/workflows/gh-aw-flaky-test-investigator.md
• .github/workflows/gh-aw-issue-fixer.lock.yml
• .github/workflows/gh-aw-issue-fixer.md
• .github/workflows/gh-aw-issue-triage.lock.yml
• .github/workflows/gh-aw-issue-triage.md
• .github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml
• .github/workflows/gh-aw-mention-in-issue-no-sandbox.md
• .github/workflows/gh-aw-mention-in-issue.lock.yml
• .github/workflows/gh-aw-mention-in-issue.md
• .github/workflows/gh-aw-mention-in-pr-by-id.lock.yml
• .github/workflows/gh-aw-mention-in-pr-by-id.md
• .github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml
• .github/workflows/gh-aw-mention-in-pr-no-sandbox.md
• .github/workflows/gh-aw-mention-in-pr.lock.yml
• .github/workflows/gh-aw-mention-in-pr.md
• .github/workflows/gh-aw-newbie-contributor-fixer.lock.yml
• .github/workflows/gh-aw-newbie-contributor-fixer.md
• .github/workflows/gh-aw-newbie-contributor-patrol-external.lock.yml
• .github/workflows/gh-aw-newbie-contributor-patrol-external.md
• .github/workflows/gh-aw-newbie-contributor-patrol.lock.yml
• .github/workflows/gh-aw-newbie-contributor-patrol.md
• .github/workflows/gh-aw-performance-profiler.lock.yml
• .github/workflows/gh-aw-performance-profiler.md
• .github/workflows/gh-aw-plan.lock.yml
• .github/workflows/gh-aw-plan.md
• .github/workflows/gh-aw-pr-actions-detective.lock.yml
• .github/workflows/gh-aw-pr-actions-detective.md
• .github/workflows/gh-aw-pr-actions-fixer.lock.yml
• .github/workflows/gh-aw-pr-actions-fixer.md
• .github/workflows/gh-aw-pr-buildkite-detective.lock.yml
• .github/workflows/gh-aw-pr-buildkite-detective.md
• .github/workflows/gh-aw-pr-ci-detective.lock.yml
• .github/workflows/gh-aw-pr-review-addresser.lock.yml
• .github/workflows/gh-aw-pr-review-addresser.md
• .github/workflows/gh-aw-pr-review.lock.yml
• .github/workflows/gh-aw-pr-review.md
• .github/workflows/gh-aw-product-manager-impersonator.lock.yml
• .github/workflows/gh-aw-product-manager-impersonator.md
• .github/workflows/gh-aw-project-summary.lock.yml
• .github/workflows/gh-aw-project-summary.md
• .github/workflows/gh-aw-refactor-opportunist.lock.yml
• .github/workflows/gh-aw-refactor-opportunist.md
• .github/workflows/gh-aw-release-update.lock.yml
• .github/workflows/gh-aw-release-update.md
• .github/workflows/gh-aw-scheduled-audit.lock.yml
• .github/workflows/gh-aw-scheduled-audit.md
• .github/workflows/gh-aw-scheduled-fix.lock.yml
• .github/workflows/gh-aw-scheduled-fix.md
• .github/workflows/gh-aw-small-problem-fixer.lock.yml
• .github/workflows/gh-aw-small-problem-fixer.md
• .github/workflows/gh-aw-stale-issues.lock.yml
• .github/workflows/gh-aw-stale-issues.md
• .github/workflows/gh-aw-test-improvement.lock.yml
• .github/workflows/gh-aw-test-improver.lock.yml
• .github/workflows/gh-aw-test-improver.md
• .github/workflows/gh-aw-text-auditor.lock.yml
• .github/workflows/gh-aw-text-auditor.md
• .github/workflows/gh-aw-text-beautifier.lock.yml
• .github/workflows/gh-aw-text-beautifier.md
• .github/workflows/gh-aw-update-pr-body.lock.yml
• .github/workflows/gh-aw-update-pr-body.md
• .github/workflows/gh-aw-ux-design-patrol.lock.yml
• .github/workflows/gh-aw-ux-design-patrol.md
• .github/workflows/upgrade-check.lock.yml
• .github/workflows/workflow-patrol.lock.yml
• Makefile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, let's find and examine any gh-aw related documentation
find . -type f -name "gh-aw*.md" -o -name "*gh-aw*" | head -20

Repository: elastic/ai-github-actions

Length of output: 1098

---

🏁 Script executed:

#!/bin/bash
# Search for documentation or comments mentioning --env-all
rg -n --glob '*.md' -C2 'env-all|awf.*--env-all'

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

#!/bin/bash
# Check the workflow file to understand context better
head -100 .github/workflows/gh-aw-bug-exterminator.lock.yml

Repository: elastic/ai-github-actions

Length of output: 3317

---

🏁 Script executed:

#!/bin/bash
# Look for any security or environment guidelines
find . -type f \( -name "*SECURITY*" -o -name "*security*" -o -name "*ENV*" \) | grep -E "\.(md|txt|yml|yaml)$"

Repository: elastic/ai-github-actions

Length of output: 101

---

🏁 Script executed:

#!/bin/bash
# Check the source .md file for gh-aw-bug-exterminator
cat .github/workflows/gh-aw-bug-exterminator.md

Repository: elastic/ai-github-actions

Length of output: 2811

---

🏁 Script executed:

#!/bin/bash
# Check security documentation
cat SECURITY.md

Repository: elastic/ai-github-actions

Length of output: 8361

---

🏁 Script executed:

#!/bin/bash
# Check if there are fragments mentioning network or environment
ls -la .github/workflows/gh-aw-fragments/

Repository: elastic/ai-github-actions

Length of output: 1757

---

🏁 Script executed:

#!/bin/bash
# Search for --env-all in the source .md file and fragments
rg -n 'env-all' .github/workflows/

Repository: elastic/ai-github-actions

Length of output: 50382

---

🏁 Script executed:

#!/bin/bash
# Check runtime-setup.md which was imported
cat .github/workflows/gh-aw-fragments/runtime-setup.md

Repository: elastic/ai-github-actions

Length of output: 1445

---

🏁 Script executed:

#!/bin/bash
# Search for comments near --env-all in source .md files
rg -A5 -B5 'env-all' .github/workflows/*.md

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

#!/bin/bash
# Check if there's any comment or documentation in the lock file about the awf command
sed -n '1050,1070p' .github/workflows/gh-aw-bug-exterminator.lock.yml | head -30

Repository: elastic/ai-github-actions

Length of output: 6510

---

Document or reconsider --env-all exposure necessity.

The --env-all flag is required across all workflows to support dynamically installed tools (Go, Python, Node.js, Ruby, uv) and their associated environment variables inside the container. However, if the multi-tool setup can be made more conservative or if environment variable exposure can be minimized without breaking functionality, consider documenting the explicit requirements or reducing to a curated allowlist.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-bug-exterminator.lock.yml around lines 1059 - 1060,
The workflow is using awf with the broad --env-all flag; update the workflow to
either (A) document exactly which dynamic tool env vars are required
(Go/Python/Node/Ruby/uv) and add an inline comment near the awf invocation
listing those variables and why --env-all is needed, or (B) replace --env-all
with a minimal curated allowlist (use awf's allowlist option or equivalent) that
exposes only the specific environment variables and paths required by awf and
the /usr/local/bin/copilot invocation (reference the awf command and the copilot
--add-dir/--prompt usage), and ensure any domain/host-access flags
(--allow-domains, --enable-host-access) are reviewed and reduced if possible;
implement the chosen change and update workflow docs to explain the rationale.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, let's find documentation files about gh-aw
find . -type f -name "*.md" | head -20

Repository: elastic/ai-github-actions

Length of output: 988

---

🏁 Script executed:

#!/bin/bash
# Run the provided verification script
rg -n --glob 'gh-aw-*.md' -C2 'awf .*--env-all'

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

#!/bin/bash
# Let's look for any gh-aw related documentation
find . -type f \( -name "*gh-aw*" -o -name "*awf*" \) | grep -E "\.(md|yml|yaml|txt)$"

Repository: elastic/ai-github-actions

Length of output: 4886

---

🏁 Script executed:

#!/bin/bash
# Check the context around the flagged lines in the workflow
cat -n .github/workflows/gh-aw-bug-hunter.lock.yml | sed -n '1000,1020p'

Repository: elastic/ai-github-actions

Length of output: 6657

---

🏁 Script executed:

#!/bin/bash
# Search for any environment variable allowlist patterns in the workflow
rg -n 'env-all|ENV' .github/workflows/gh-aw-bug-hunter.lock.yml | head -20

Repository: elastic/ai-github-actions

Length of output: 5484

---

🏁 Script executed:

#!/bin/bash
# Check the main documentation for gh-aw-bug-hunter
cat -n .github/workflows/gh-aw-bug-hunter.md | head -100

Repository: elastic/ai-github-actions

Length of output: 4264

---

🏁 Script executed:

#!/bin/bash
# Search for all occurrences of --env-all in lock.yml files
rg -l --glob '*.lock.yml' '\-\-env-all' | wc -l
rg --glob '*.lock.yml' '\-\-env-all' | head -20

Repository: elastic/ai-github-actions

Length of output: 385

---

🏁 Script executed:

#!/bin/bash
# Check if there's any documentation about --env-all in the repository
find . -type f \( -name "*.md" -o -name "README*" \) -exec grep -l 'env-all' {} \;

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

#!/bin/bash
# Search for --env-all without escaping
rg 'env-all' .github/workflows/ | head -5

Repository: elastic/ai-github-actions

Length of output: 18772

---

🏁 Script executed:

#!/bin/bash
# Count how many workflow files use --env-all
find .github/workflows -name "*.lock.yml" -exec grep -l 'env-all' {} \; | wc -l

Repository: elastic/ai-github-actions

Length of output: 71

---

🏁 Script executed:

#!/bin/bash
# Get a few examples
find .github/workflows -name "*.lock.yml" -exec grep -l 'env-all' {} \; | head -5

Repository: elastic/ai-github-actions

Length of output: 2064

---

Confirm --env-all exposure is acceptable.

This forwards all runner environment variables into the awf container and is used across 52 workflows. If not required for agent functionality, consider reverting to a minimal env allowlist to follow principle of least privilege.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-bug-hunter.lock.yml around lines 1009 - 1010, The
workflow exposes all runner environment variables via the awf flag "--env-all"
in the sudo -E awf invocation; replace it with a minimal explicit allowlist
(e.g., remove "--env-all" and add only the needed environment keys via awf's
per-variable flags or an env-file) or document/justify why full exposure is
required; locate the command containing "sudo -E awf --env-all" and change to
explicit --env <VAR> entries (or an env-file/allowlist mechanism supported by
awf) to follow least-privilege practices.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the file to see the actual content at the specified lines
git ls-files | grep -E "gh-aw.*yml"

Repository: elastic/ai-github-actions

Length of output: 2593

---

🏁 Script executed:

# Find the workflow file
fd "gh-aw-docs-patrol" -type f

Repository: elastic/ai-github-actions

Length of output: 239

---

🏁 Script executed:

# Check if the file exists and read the relevant lines
if [ -f ".github/workflows/gh-aw-docs-patrol.lock.yml" ]; then
  echo "=== Lines around 1240 ==="
  sed -n '1235,1245p' .github/workflows/gh-aw-docs-patrol.lock.yml
  echo ""
  echo "=== Lines around 1405 ==="
  sed -n '1400,1410p' .github/workflows/gh-aw-docs-patrol.lock.yml
fi

Repository: elastic/ai-github-actions

Length of output: 1787

---

🌐 Web query:

gh-aw v0.49.3 GH_AW_SAFE_OUTPUT_MESSAGES activationComments format

💡 Result:

In gh-aw v0.49.3, the setting to disable the bot’s “activation / fallback” comments is a frontmatter boolean flag named activation-comments (kebab-case), e.g.: [1]

---
on: workflow_dispatch
activation-comments: false
---

GH_AW_SAFE_OUTPUT_MESSAGES is a JSON string env var used internally by the safe-output “messages system” to carry your configured message templates; its value is expected to be a JSON object of message-name → template-string pairs, e.g.: [2]

GH_AW_SAFE_OUTPUT_MESSAGES='{"myNewMessage":"Custom: {placeholder1}"}'

Separately, the documented user-facing configuration for safe-output messages is in workflow frontmatter under safe-outputs.messages with message types like run-started, run-success, run-failure, and footer. [3]

Sources: [1] [2] [3]

---

🌐 Web query:

gh-aw safe-output handler activationComments boolean string

💡 Result:

In gh-aw (GitHub Agentic Workflows) there isn’t a safe-outputs (or handler) field named activationComments.

What the docs do say is:

• By default, gh-aw posts an “activation comment” when a workflow starts, and then edits that same comment with the final status. (github.github.com)
• If you want an append-only timeline (don’t edit the activation comment), set safe-outputs.messages.append-only-comments: true (this is a boolean). (github.github.com)
• Most boolean safe-output config fields can be templated using a GitHub Actions expression string (e.g., ${{ inputs.create_draft }}), but some permission-sensitive booleans must remain literal true/false. (github.github.com)

Example:

safe-outputs:
  messages:
    append-only-comments: true

If you meant Akamai’s activationComments field (seen in some Akamai APIs/CLIs), that’s a separate product and unrelated to gh-aw safe outputs. (techdocs.akamai.com)

Citations:

• 1: https://github.github.com/gh-aw/reference/safe-outputs/
• 2: https://github.github.com/gh-aw/reference/safe-outputs/
• 3: https://github.github.com/gh-aw/reference/safe-outputs/
• 4: https://techdocs.akamai.com/powershell/docs/new-networklistactivation?utm_source=openai

---

Remove invalid activationComments field from GH_AW_SAFE_OUTPUT_MESSAGES environment variable.

The activationComments field does not exist in gh-aw's safe-output handler. GH_AW_SAFE_OUTPUT_MESSAGES should only contain message templates (like footer), not control flags. Control of activation comments should be set via the frontmatter flag activation-comments: false or safe-outputs.messages.append-only-comments: true, not in this environment variable.

Also applies to: 1405-1405

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-docs-patrol.lock.yml at line 1240, Remove the
invalid activationComments property from the GH_AW_SAFE_OUTPUT_MESSAGES
environment variable (the variable GH_AW_SAFE_OUTPUT_MESSAGES should only
contain message templates such as footer) and instead set the
activation-comments control via the workflow frontmatter or inputs (use
frontmatter flag activation-comments: false or the workflow input
safe-outputs.messages.append-only-comments: true) so the safe-output handler
receives only templates and activation behavior is controlled by the proper
flags.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name 'gh-aw-*.md' -o -name '*awf*.md' | head -20

Repository: elastic/ai-github-actions

Length of output: 1028

---

🏁 Script executed:

rg -n --glob 'gh-aw-*.md' -C2 'awf .*--env-all'

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Search for any documentation about awf and environment variables
rg -n 'env-all|--env-all' --type md --type txt --type yaml

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Look for context around the awf usage in the workflow file
cat -n .github/workflows/gh-aw-plan.lock.yml | sed -n '970,980p'

Repository: elastic/ai-github-actions

Length of output: 5993

---

🏁 Script executed:

# Search for awf usage in other workflow files
rg -n 'awf.*--env' --type yaml -A2 -B2

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Check one of the gh-aw documentation files for context on environment variables
cat ./.github/workflows/gh-aw-plan.md 2>/dev/null | head -100

Repository: elastic/ai-github-actions

Length of output: 2967

---

🏁 Script executed:

# Look for any comments or issues mentioning --env-all or environment variables
rg -n 'env-all|ENV_ALL|environment.*variables' --type md -C3

Repository: elastic/ai-github-actions

Length of output: 1375

---

🏁 Script executed:

# Check if there's a README or documentation at the root level
ls -la .github/workflows/README* .github/README* README* 2>/dev/null | head -20

Repository: elastic/ai-github-actions

Length of output: 127

---

🏁 Script executed:

# Look for the pattern of how env is handled in other similar steps
rg -n 'awf.*--container-workdir' --type yaml -A5 -B2 | head -50

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Check SECURITY.md for context on environment variable handling
cat SECURITY.md | head -250

Repository: elastic/ai-github-actions

Length of output: 8361

---

🏁 Script executed:

# Search for documentation about awf tool and its requirements
find . -name '*.md' -type f -exec grep -l 'awf' {} \; | head -20

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Check if there's any issue or comment explaining the --env-all usage
rg -n 'COPILOT|copilot' .github/workflows/gh-aw-plan.lock.yml -B3 -A3

Repository: elastic/ai-github-actions

Length of output: 18456

---

🏁 Script executed:

# Look for any environment variable handling or security considerations in workflow
cat -n .github/workflows/gh-aw-plan.lock.yml | sed -n '965,985p'

Repository: elastic/ai-github-actions

Length of output: 6630

---

Reconsider --env-all exposure—this contradicts documented security practices.

The --env-all flag forwards all runner environment variables (including secrets like GITHUB_TOKEN, COPILOT_GITHUB_TOKEN, etc.) to the awf container, bypassing the explicit env block. This violates the principle of least privilege documented in SECURITY.md. No documentation justifies this flag's necessity, and other steps in the same workflow (threat detection copilot execution, MCP gateway) demonstrate successful operation without it or with explicit env variable selection. Either remove --env-all or provide explicit justification if required.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-plan.lock.yml around lines 975 - 976, The awf
invocation currently uses the --env-all flag which exports all runner
environment variables (including secrets) into the container; remove --env-all
from the awf command and instead explicitly pass only the required variables
(e.g., via awf's per-variable env flags or by adding an explicit env block) or,
if keeping --env-all is absolutely required, add a brief justification comment
in the workflow explaining exactly which consumed secrets/vars necessitate it
and why they cannot be passed explicitly; locate the awf invocation line
containing the --env-all flag to make this change.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, search for gh-aw or awf documentation in the repository
find . -type f \( -name "*.md" -o -name "*.txt" -o -name "*.yml" -o -name "*.yaml" \) | head -20

Repository: elastic/ai-github-actions

Length of output: 1003

---

🏁 Script executed:

# Search for awf or gh-aw references in the codebase
rg "awf|gh-aw" -t yml -t md -i -A 3 -B 3

Repository: elastic/ai-github-actions

Length of output: 96

---

🏁 Script executed:

# Check the specific workflow file for context
cat -n ".github/workflows/gh-aw-pr-actions-fixer.lock.yml" | head -100

Repository: elastic/ai-github-actions

Length of output: 4062

---

🌐 Web query:

gh-aw awf --env-all documentation and security implications

💡 Result:

What awf --env-all does (and where it’s documented)

In Agentic Workflow Firewall (AWF), the CLI flag:

• --env-all = “Pass all host environment variables to container.” [1]

AWF’s CLI docs also note the firewall requires root and should be run with sudo (and sudo -E if you intend to preserve env vars into the elevated process). [1]

Security implications of --env-all

AWF’s own docs call out the main risk:

• Security Risk: --env-all “May expose sensitive credentials. Prefer -e for specific variables.” [1]

Concretely, --env-all increases blast radius because it can unintentionally pass into the container things like:

• API tokens / auth material (e.g., GITHUB_TOKEN, cloud creds, PATs, *_API_KEY, etc.)
• Proxy credentials, package registry tokens, internal endpoint URLs, feature flags, etc.

Even though AWF is designed to control network egress via a domain allowlist (to reduce exfiltration risk), secrets that enter the container are still exposed to whatever command/agent you run inside it, and could leak via:

• logs/artifacts,
• outbound requests to allowed domains,
• prompt/tool output (in agentic scenarios). [2]

Safer alternatives / best practice

• Prefer explicit env passing: -e KEY=VALUE (repeat as needed) instead of --env-all. [1]
• If you must use --env-all, run with a sanitized environment (unset sensitive vars first) and keep the allowed domains list as tight as possible (--allow-domains ...). [1][2]

Example (recommended pattern):

sudo awf --allow-domains api.github.com -e MY_TOKEN="$MY_TOKEN" -- curl https://api.github.com

Example (higher risk):

sudo -E awf --env-all --allow-domains api.github.com -- your-command

Sources: [1] AWF CLI Reference (documents --env-all and warns about credential exposure), [2] gh-aw Security Architecture (AWF egress control model / defense-in-depth).

---

🌐 Web query:

gh-aw GitHub Actions workflow firewall awf --env-all best practices

💡 Result:

AWF --env-all best practices (for gh aw / Agentic Workflow Firewall)

• Avoid --env-all by default. It “pass[es] all host environment variables to container” and may expose sensitive credentials; prefer passing only what you need with -e/--env KEY=VALUE. [1]
• If you only need to preserve a couple env vars, use sudo -E (selectively). AWF commonly requires sudo (or sudo -E) so your workflow’s token env vars survive privilege escalation. Keep the preserved set minimal. [2]
• Prefer GitHub Actions secrets + least-privilege tokens over broad env injection. Keep GITHUB_TOKEN permissions minimal and avoid long‑lived credentials where possible. [3]
• Keep the network allowlist tight and explicit. AWF is designed for domain allowlisting / default-deny egress; only allow the domains your workflow/agent actually needs. [2]
• Pin dependencies used by workflows. Pin third-party actions (and reusable workflows) to immutable references (commit SHAs) to reduce supply-chain risk. [4]

Rule of thumb: use --env-all only for short-lived, local debugging—and switch back to explicit -e variables (and GitHub secrets) for CI. [1]

Sources

[1] AWF CLI Reference (--env-all security risk) (github.github.com)
[2] AWF docs (requires sudo / sudo -E; domain allowlisting) (github.github.com)
[3] GitHub Docs: Security hardening for GitHub Actions (least privilege, secrets/OIDC guidance) (docs.github.com)
[4] GitHub Well-Architected: Securing GitHub Actions Workflows (pin actions to SHAs) (wellarchitected.github.com)

Citations:

• 1: https://github.github.com/gh-aw-firewall/reference/cli-reference/
• 2: https://github.github.com/gh-aw-firewall/
• 3: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 4: https://wellarchitected.github.com/library/application-security/recommendations/actions-security/?utm_source=openai

---

Use explicit -e environment variables instead of --env-all.
AWF documentation explicitly warns that --env-all "may expose sensitive credentials" and recommends passing only required variables via explicit -e KEY=VALUE arguments. This is particularly important here since the container runs an agentic tool (copilot) with --allow-all-tools and --allow-all-paths—credentials passed into the container could leak through tool operations, logs, or outbound requests to allowed domains. Switch to selectively passing only the environment variables this workflow requires.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-pr-actions-fixer.lock.yml around lines 1071 - 1072,
The awf invocation currently uses the unsafe flag --env-all which may leak
secrets when running the agentic tool (see the awf command line containing
--env-all and the nested /usr/local/bin/copilot invocation); replace --env-all
with explicit -e KEY=VALUE arguments for only the variables the workflow
actually needs (e.g., GITHUB_WORKSPACE, GITHUB_REF, GITHUB_SHA, HOME, and any
specific tokens or config vars you intend to expose) and remove any broad
environment exposure, ensuring the awf call and its flags (the awf --env-all
occurrence) are updated to pass only those -e pairs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's understand the repository structure and find context about awf
git ls-files | head -20

Repository: elastic/ai-github-actions

Length of output: 905

---

🏁 Script executed:

# Look for awf documentation or related files in the repository
fd -t f "(awf|readme|doc)" -i | head -20

Repository: elastic/ai-github-actions

Length of output: 956

---

🏁 Script executed:

# Check if there's a README or documentation about this workflow
find . -type f -name "*.md" | head -20

Repository: elastic/ai-github-actions

Length of output: 988

---

🌐 Web query:

awf --env-all flag environment variable forwarding secrets redaction GitHub Actions

💡 Result:

In Agentic Workflow Firewall (AWF), the --env-all flag forwards (almost) every environment variable from the host into the AWF-run container. Example usage: awf --env-all 'command'. (raw.githubusercontent.com)

Why this is risky (especially in GitHub Actions / CI)

AWF explicitly warns that --env-all is development-only because it can expose secrets in multiple ways, including:

• Credential exposure to disk: forwarded variables (API keys/tokens/passwords) are written in plaintext into AWF’s generated docker-compose file under /tmp/awf-*/docker-compose.yml. (raw.githubusercontent.com)
• Log leakage risk: debug output / shared logs can expose those credentials. (raw.githubusercontent.com)

AWF therefore recommends passing only what you need via -e/--env (or sudo -E for a small default allowlist of auth-related vars). (raw.githubusercontent.com)

Interaction with GitHub Actions “secret redaction”

GitHub Actions masking primarily protects you in logs, and it’s not foolproof:

• Redaction is performed by the runner and is largely based on matching the secret value; transformed/structured values can evade masking. (docs.github.com)
• GitHub’s own guidance is still: don’t print secrets, and mask any sensitive derived values yourself. (docs.github.com)

So, in CI, --env-all can (1) forward far more secrets than intended and (2) place them where GitHub’s log-masking doesn’t help (e.g., plaintext config files), even if your logs look “redacted.” (raw.githubusercontent.com)

Citations:

• 1: https://raw.githubusercontent.com/github/gh-aw-firewall/main/docs/environment.md
• 2: https://raw.githubusercontent.com/github/gh-aw-firewall/main/docs/environment.md
• 3: https://raw.githubusercontent.com/github/gh-aw-firewall/main/docs/environment.md
• 4: https://raw.githubusercontent.com/github/gh-aw-firewall/main/docs/environment.md
• 5: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 6: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 7: https://raw.githubusercontent.com/github/gh-aw-firewall/main/docs/environment.md

---

🌐 Web query:

awf v0.49.4 release notes changelog environment variables

💡 Result:

In GitHub Agentic Workflows (github/gh-aw) v0.49.4, the release notes mention these environment variables:

• GITHUB_RUN_ID
• GH_AW_WORKFLOW_ID

Change: both variables are now cleared between test cases (in messages.test.cjs) to prevent leaked state causing intermittent test failures. [1]

Source: the v0.49.4 GitHub release notes (Release Highlights → “Test isolation for workflow ID env vars”). [1]

---

🏁 Script executed:

# Read the workflow file to see the context around lines 995-996
sed -n '985,1010p' .github/workflows/gh-aw-product-manager-impersonator.lock.yml

Repository: elastic/ai-github-actions

Length of output: 6727

---

🏁 Script executed:

# Check if there are any related comments or documentation about --env-all
rg --no-heading "(--env-all|--env-all)" -B 3 -A 3

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Look for other uses of --env-all in the codebase to understand the pattern
rg --no-heading "\-\-env-all"

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Check the specific workflow file for any documentation or rationale
head -100 .github/workflows/gh-aw-product-manager-impersonator.lock.yml

Repository: elastic/ai-github-actions

Length of output: 3278

---

🏁 Script executed:

# Find the corresponding .md file for the product-manager-impersonator workflow
find . -name "*product-manager*" -type f

Repository: elastic/ai-github-actions

Length of output: 251

---

🏁 Script executed:

# Look for gh-aw configuration or version info
fd -t f "(action.yml|version|package\.json|\.yml)" | xargs grep -l "gh-aw" 2>/dev/null | head -10

Repository: elastic/ai-github-actions

Length of output: 565

---

🏁 Script executed:

# Check the .github/aw directory for configuration
ls -la .github/aw/

Repository: elastic/ai-github-actions

Length of output: 246

---

🌐 Web query:

gh-aw compile --env-all flag default behavior environment variables

💡 Result:

gh aw compile does not have a --env-all flag (so there’s no default behavior to describe for it). The documented compile options are --validate, --strict, --fix, --zizmor, --dependabot, --json, --watch, and --purge. [1]

In GitHub Agentic Workflows, environment variables come from what you define in the workflow/frontmatter (e.g., workflow/job/step env: plus AWF-specific scopes like engine.env, tools.<name>.env, safe-outputs...env, etc.), with “most-specific-wins” precedence. [2]

Implication: compilation doesn’t “pull in” all of your local shell environment variables by default; you must explicitly define any env vars you want in the workflow config. [1][2]

Sources: [1] [2]

---

🏁 Script executed:

# Read the source .md file to see how --env-all is specified
cat .github/workflows/gh-aw-product-manager-impersonator.md

Repository: elastic/ai-github-actions

Length of output: 5489

---

🏁 Script executed:

# Also check the actions-lock.json for any version info or --env-all config
cat .github/aw/actions-lock.json

Repository: elastic/ai-github-actions

Length of output: 2832

---

Investigate default --env-all behavior in AWF v0.49.4 copilot engine — this flag was not in the source .md file and appears to have been added by the compilation process.

The --env-all flag does not appear in the source workflow definition (.github/workflows/gh-aw-product-manager-impersonator.md), yet it is present in the compiled .lock.yml file. This indicates it was injected by gh aw compile in v0.49.4, not explicitly requested by the workflow author.

Per AWF documentation, --env-all:

• Forwards nearly all environment variables from the runner into the container (beyond the explicit env: block)
• Writes secrets in plaintext to /tmp/awf-*/docker-compose.yml, where GitHub's log-masking (::add-mask::) provides no protection
• Is explicitly marked "development-only" due to credential exposure risk

Confirm whether:

1. This is intentional default behavior added in v0.49.4 (and if so, document the security trade-off)
2. There is a mechanism to opt out, or if this requires upgrading AWF
3. Any additional mitigation (e.g., log scrubbing, file permissions hardening) is in place

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-product-manager-impersonator.lock.yml around lines
995 - 996, The awf invocation in the compiled command includes the --env-all
flag (see the awf command and the --env-all token), which may have been injected
by gh aw compile in AWF v0.49.4; investigate whether gh aw compile / AWF v0.49.4
intentionally defaults to --env-all by reproducing a compile with that AWF
version and checking release notes/changelog, confirm whether there is an
opt-out (e.g., a compile flag or config to prevent --env-all) or if upgrading
AWF removes it, and if it is intentional add documentation in the workflow repo
about the security trade-off and apply mitigations (remove/override --env-all,
enforce scrub/mask of secrets, tighten file permissions for
/tmp/awf-*/docker-compose.yml or avoid writing secrets in plaintext) while
referencing the exact invocation that includes --env-all and the copilot wrapper
invocation for verification.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the workflow file to see the current state
cat -n .github/workflows/gh-aw-refactor-opportunist.lock.yml | sed -n '1250,1265p'

Repository: elastic/ai-github-actions

Length of output: 1389

---

🏁 Script executed:

# Also check the second location mentioned
cat -n .github/workflows/gh-aw-refactor-opportunist.lock.yml | sed -n '1415,1430p'

Repository: elastic/ai-github-actions

Length of output: 1358

---

🏁 Script executed:

# Search for any gh-aw configuration or schema definitions in the codebase
fd -t f -e json -e yaml -e yml | xargs grep -l "activationComments" 2>/dev/null | head -20

Repository: elastic/ai-github-actions

Length of output: 51

---

🏁 Script executed:

# Search for GH_AW_SAFE_OUTPUT_MESSAGES usage patterns
rg "GH_AW_SAFE_OUTPUT_MESSAGES" -A 2 -B 2 --max-count=10

Repository: elastic/ai-github-actions

Length of output: 51

---

🌐 Web query:

gh-aw activation-comments activationComments safe outputs schema type boolean

💡 Result:

In gh-aw, the frontmatter field:

• activation-comments has schema type boolean.
• Set it to false to silence the bot “activation” / “fallback” comments that gh-aw otherwise posts on the triggering issue/PR/comment thread. [1]

Example:

---
activation-comments: false
---

Sources: [1]

---

Change "activationComments":"false" to "activationComments":false

The activationComments field expects a boolean type, not a string. Remove the quotes around false in the JSON payload.

This applies to both lines 1256 and 1421.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-refactor-opportunist.lock.yml around lines 1256 -
1257, The JSON string assigned to GH_AW_SAFE_OUTPUT_MESSAGES contains
activationComments as a string ("false") but it should be a boolean; update the
GH_AW_SAFE_OUTPUT_MESSAGES value(s) where activationComments appears (both
occurrences) to use activationComments:false (remove the surrounding quotes) so
the payload sends a boolean rather than a string.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, check if the file exists and has the mentioned lines
if [ -f .github/workflows/gh-aw-text-auditor.lock.yml ]; then
  echo "File found. Checking line count and relevant lines..."
  wc -l .github/workflows/gh-aw-text-auditor.lock.yml
  echo "=== Line 1309 ==="
  sed -n '1309p' .github/workflows/gh-aw-text-auditor.lock.yml
  echo "=== Line 1474 ==="
  sed -n '1474p' .github/workflows/gh-aw-text-auditor.lock.yml
else
  echo "File not found"
fi

Repository: elastic/ai-github-actions

Length of output: 805

---

🏁 Script executed:

# Search for all occurrences of activationComments in the workflow file
rg "activationComments" .github/workflows/

Repository: elastic/ai-github-actions

Length of output: 33872

---

🌐 Web query:

gh-aw activationComments safe-output messages format boolean type v0.49.3

💡 Result:

In gh-aw v0.49.3, you can disable the bot’s activation / fallback comments by setting this frontmatter boolean flag:

activation-comments: false

This was introduced specifically to “silence activation comments.” [1]

For safe output messages, configuration lives under safe-outputs.messages and supports these message types:

• run-started
• run-success
• run-failure
• footer (and supports template variables like {workflow_name} / {run_url}) [2]

If you meant a specific schema field like activationComments (camelCase) or a safe-outputs.messages.*.format field/type, tell me where you’re seeing it (error text or schema link) and I can pinpoint the exact expected type.

Sources: [1] [2]

---

🌐 Web query:

gh-aw GH_AW_SAFE_OUTPUT_MESSAGES schema safe-output-messages activationComments

💡 Result:

In gh-aw, “safe output messages” are configured in frontmatter under:

• safe-outputs.messages (YAML, kebab-case keys like run-started, run-success, etc.) and validated by the workflow frontmatter JSON schema. The schema lists the available message keys and placeholders (for example {workflow_name}, {run_url}, {event_type}, {status}, etc.). [1]
• At runtime, the safe-output JavaScript reads overrides from the GH_AW_SAFE_OUTPUT_MESSAGES environment variable as JSON (the project’s “messages” dev guide explicitly uses/clears this env var in tests and examples). [2]

activationComments specifically is not a safe-output-messages key.

• The schema field that controls whether activation/fallback comments happen at all is safe-outputs.activation-comments (YAML key, kebab-case). Setting it to false disables all activation/fallback comments (run-started/run-success/run-failure + created-item links). [1]

If what you actually want is to customize the text of the activation comments, do that via message templates such as:

• safe-outputs.messages.run-started
• safe-outputs.messages.run-success
• safe-outputs.messages.run-failure [1]

(Those are the activation-comment message templates; activation-comments is the on/off switch.) [1]

Sources: [1] [2]

---

🏁 Script executed:

# Search the repo for any configuration or schema documentation
fd -t f README .github docs . | head -20

Repository: elastic/ai-github-actions

Length of output: 978

---

🏁 Script executed:

# Search for gh-aw references in configuration files or docs
rg "safe-output|activationComments|GH_AW_SAFE_OUTPUT_MESSAGES" --type md --type yaml --type json | head -30

Repository: elastic/ai-github-actions

Length of output: 4192

---

Remove activationComments from GH_AW_SAFE_OUTPUT_MESSAGES—it is not a valid safe-output-messages field.

activationComments is not a documented field in the safe-output-messages schema. Activation comments are controlled via the safe-outputs.activation-comments frontmatter key (YAML), not through the GH_AW_SAFE_OUTPUT_MESSAGES environment variable. The valid message keys are: run-started, run-success, run-failure, and footer. This setting has no effect and should be removed from all workflow files.

This affects 42+ workflow files across the codebase with the same issue. Consolidate the fix by removing the invalid "activationComments":"false" property from the environment variable in all occurrences.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/gh-aw-text-auditor.lock.yml at line 1309, The
GH_AW_SAFE_OUTPUT_MESSAGES environment variable contains an invalid
"activationComments" property; remove the `"activationComments":"false"` entry
from the GH_AW_SAFE_OUTPUT_MESSAGES JSON value (the environment variable named
GH_AW_SAFE_OUTPUT_MESSAGES) so the JSON only includes valid safe-output-messages
keys (run-started, run-success, run-failure, footer); apply this removal to all
workflow files that set GH_AW_SAFE_OUTPUT_MESSAGES to consolidate the fix.