Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughRefactors many GitHub Actions workflows: replaces per-workspace UV installs with a symlink under /opt/hostedtoolcache/gh-aw-tools/current/x64/bin, removes Possibly related PRs
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/gh-aw-fragments/playwright-mcp-explorer.md (1)
75-78:⚠️ Potential issue | 🟡 MinorClarify page-state wording to avoid contradiction with disabled auto snapshots.
Line 75 says users “see the page state after each action,” but Line 25+ says automatic snapshots are disabled and some tools don’t return state. Recommend rewording to “you can inspect page state on demand.”
Suggested doc tweak
- MCP tools are interactive: you see the page state after each action and + MCP tools are interactive: you can inspect page state on demand between actions and🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-fragments/playwright-mcp-explorer.md around lines 75 - 78, Replace the contradictory phrase "see the page state after each action" with wording that reflects disabled automatic snapshots and occasional lack of returned state—e.g., change it to "you can inspect page state on demand" or similar; update the sentence containing the exact phrase "see the page state after each action" to reference manual/explicit inspection and cross-reference the existing note about "automatic snapshots are disabled" so the doc consistently conveys that snapshots must be requested rather than captured automatically.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/gh-aw-fragments/playwright-mcp-explorer.md:
- Around line 48-50: The example POST snippet for browser_run_code uses
undefined symbols (url, data) — make it self-contained by declaring lightweight
placeholders before usage: define a sample url string (e.g., endpoint for
browser_run_code) and a minimal data object (e.g., {code: "...", language:
"..."}), then call page.request.post(url, {data}) and await res.json(); update
the snippet around the async (page) => { ... } block to include these
placeholder declarations so readers can copy/paste directly.
---
Outside diff comments:
In @.github/workflows/gh-aw-fragments/playwright-mcp-explorer.md:
- Around line 75-78: Replace the contradictory phrase "see the page state after
each action" with wording that reflects disabled automatic snapshots and
occasional lack of returned state—e.g., change it to "you can inspect page state
on demand" or similar; update the sentence containing the exact phrase "see the
page state after each action" to reference manual/explicit inspection and
cross-reference the existing note about "automatic snapshots are disabled" so
the doc consistently conveys that snapshots must be requested rather than
captured automatically.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 8389f89b-932b-454c-a3bc-a6ae8313874d
📒 Files selected for processing (1)
.github/workflows/gh-aw-fragments/playwright-mcp-explorer.md
Comment on lines
+48
to
+50
| async (page) => { | ||
| const res = await page.request.post(url, {data}); | ||
| const json = await res.json(); |
There was a problem hiding this comment.
Make the browser_run_code POST example self-contained.
Line 49 references url and data without showing their origin, which makes copy/paste usage ambiguous. Add lightweight placeholders in the snippet.
Suggested doc tweak
async (page) => {
+ const url = 'https://example.test/api';
+ const data = { foo: 'bar' };
const res = await page.request.post(url, {data});
const json = await res.json();📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| async (page) => { | |
| const res = await page.request.post(url, {data}); | |
| const json = await res.json(); | |
| async (page) => { | |
| const url = 'https://example.test/api'; | |
| const data = { foo: 'bar' }; | |
| const res = await page.request.post(url, {data}); | |
| const json = await res.json(); |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-fragments/playwright-mcp-explorer.md around lines 48
- 50, The example POST snippet for browser_run_code uses undefined symbols (url,
data) — make it self-contained by declaring lightweight placeholders before
usage: define a sample url string (e.g., endpoint for browser_run_code) and a
minimal data object (e.g., {code: "...", language: "..."}), then call
page.request.post(url, {data}) and await res.json(); update the snippet around
the async (page) => { ... } block to include these placeholder declarations so
readers can copy/paste directly.
Replace 48 lines of manual actions/setup-* steps with the built-in runtimes: frontmatter block using if: conditions for file-based detection (go.mod, .python-version, .node-version, .nvmrc, .ruby-version, pyproject.toml/uv.lock). The compiler now generates pinned setup steps automatically. Copilot CLI config and repo conventions steps are retained. Made-with: Cursor
strawgate
changed the title
github-actions
bot
added
the
big_boom
- Batch actions in browser_run_code for efficiency - Save snapshots to disk for discovery, grep for refs - Soften standalone script language - Replace 'why not scripts' with practical run_code error handling advice - Add snapshot-mode none arg Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 12
Note
Due to the large number of review comments, Critical, Major severity comments were prioritized as inline comments.
🟡 Minor comments (10)
.github/workflows/gh-aw-mention-in-issue-by-id.lock.yml-557-557 (1)
557-557:⚠️ Potential issue | 🟡 MinorPlaywright guidance is internally inconsistent after disabling auto snapshots.
This block says automatic snapshots are disabled, but later says you “see the page state after each action.” That contradiction can drive incorrect tool usage.
Based on learnings: update this wording in the source
.mdfragment (not the lockfile) and regenerate viagh aw compile.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-mention-in-issue-by-id.lock.yml at line 557, The Playwright guidance in the heredoc created by the "cat > /tmp/playwright-instructions.md << 'EOF'" step is inconsistent: it says automatic snapshots are disabled but later claims "you see the page state after each action." Edit the source .md fragment (not this lockfile) to clarify that automatic snapshots are disabled and that actions do NOT automatically reveal page state (explain how to capture state via explicit snapshot/screenshot or browser_run_code), then regenerate the compiled artifact by running "gh aw compile" so the updated text replaces the heredoc content used by the workflow..github/workflows/gh-aw-mention-in-pr.invalid.yml-764-764 (1)
764-764:⚠️ Potential issue | 🟡 MinorPlaywright guidance is internally inconsistent after enabling snapshot-on-demand.
The same instructions say automatic snapshots are disabled (no state returned by actions) but later claim you “see page state after each action.” Please align this wording to avoid confusing agent behavior.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-mention-in-pr.invalid.yml at line 764, The doc has an internal contradiction: the header "Automatic snapshots are disabled" and the sentence "MCP tools are interactive: you see the page state after each action and decide what to do next." conflict; update the wording so both statements align by clarifying that actions do not return page state and that agents must explicitly capture state with snapshot/screenshot tools. Specifically, change the sentence that begins "MCP tools are interactive: you see the page state after each action and decide what to do next." to something like "MCP tools are interactive: actions do not return page state automatically — use browser_snapshot or browser_take_screenshot (or browser_run_code results) to inspect the page after actions," and ensure the "Automatic snapshots are disabled" section explains snapshot-on-demand and when to use browser_snapshot/browser_take_screenshot..github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml-605-605 (1)
605-605:⚠️ Potential issue | 🟡 MinorPlaywright guidance is internally inconsistent and can mislead agent behavior.
In Line 605, the instructions first say snapshots are on-demand/disabled, but later claim the agent “see[s] the page state after each action.” With snapshot mode disabled, that second statement is inaccurate and can cause missed explicit
browser_snapshot/browser_take_screenshotcalls.Suggested source fix (in the corresponding
.mdfragment, then recompile)- MCP tools are interactive: you see the page state after each action and - decide what to do next. This is ideal for exploratory testing where you - need to adapt based on what you find. + MCP tools are interactive: you can inspect page state on demand + (`browser_snapshot` / `browser_take_screenshot`) and decide what to do next. + This is ideal for exploratory testing where you need to adapt based on what you find.Based on learnings, this
.lock.ymlis generated output; apply this fix in the corresponding source.mdfile and rungh aw compile.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml at line 605, The guidance text incorrectly states that MCP tools let the agent "see the page state after each action" while earlier noting automatic snapshots are disabled; update the source .md fragment so the paragraph that currently begins "MCP tools are interactive: you see the page state after each action and decide what to do next." explicitly says automatic snapshots are disabled and that the agent must call browser_snapshot or browser_take_screenshot (or other inspection tools) to view page state after actions; then recompile with gh aw compile to regenerate the .lock.yml..github/workflows/gh-aw-newbie-contributor-patrol.lock.yml-540-568 (1)
540-568:⚠️ Potential issue | 🟡 MinorAll action versions are current; GOROOT capture runs unconditionally while Setup Go is conditional.
All referenced versions are valid: setup-go v6.3.0 (Feb 26, 2026), setup-node v6.3.0 (Mar 4, 2026), setup-python v6.2.0 (Jan 22, 2026), setup-ruby v1.292.0 (Mar 11, 2026), setup-uv v7.5.0 (Mar 12, 2026), and Go 1.25.8 exist.
However, the GOROOT capture step (lines 547–548) runs unconditionally while Setup Go (line 542) is gated on
hashFiles('go.mod') != ''. If intentional (using runner's pre-installed Go as fallback), add a comment. Otherwise, fix the sourceruntime-setup.mdfragment to apply the same condition.This lock file is auto-generated by
gh-aw; edits must be made to the source.mdand recompiled..github/workflows/agent-deep-dive.lock.yml-539-563 (1)
539-563:⚠️ Potential issue | 🟡 MinorUpdate ruby/setup-ruby to v1.293.0.
The ruby/setup-ruby action is outdated. Update from
v1.292.0tov1.293.0(released March 14, 2026). The other actions (setup-go@v6.3.0, setup-node@v6.3.0, setup-python@v6.2.0, setup-uv@v7.5.0) are current as of March 2026.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/agent-deep-dive.lock.yml around lines 539 - 563, Update the ruby/setup-ruby action reference used in the workflow (the line starting with "uses: ruby/setup-ruby@4eb9f110bac952a8b68ecf92e3b5c7a987594ba6") to the new release tag v1.293.0; replace the existing pinned commit/hash with "ruby/setup-ruby@v1.293.0" so the workflow uses the March 14, 2026 release..github/workflows/gh-aw-project-summary.lock.yml-569-582 (1)
569-582:⚠️ Potential issue | 🟡 MinorUpdate Go to 1.26.1.
The
package-manager-cacheinput is valid foractions/setup-node@v6. Node.js 24 is the current LTS as of March 2026. However, Go 1.25 is outdated; Go 1.26.1 was released March 5, 2026. Update line 571 togo-version: '1.26.1'.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-project-summary.lock.yml around lines 569 - 582, Update the "Setup Go" action to use Go 1.26.1 by changing the go-version input in the Setup Go step (the job entry with name "Setup Go" / uses: actions/setup-go@4b73464...) from '1.25' to '1.26.1'; keep the rest of the step (cache: false and the conditional hashFiles('go.mod')) unchanged so the workflow targets the new Go release..github/workflows/gh-aw-mention-in-pr-no-sandbox.invalid.yml-731-731 (1)
731-731:⚠️ Potential issue | 🟡 MinorFix contradictory guidance in Playwright MCP instructions.
The "Automatic snapshots are disabled" section correctly states tools do NOT return page state, but the "Why MCP tools instead of scripts" section says agents see page state after each action. With
--snapshot-mode none, the agent must explicitly callbrowser_snapshotorbrowser_take_screenshot—interactivity is on-demand, not automatic. Reword that section to match the disabled-snapshots behavior.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-mention-in-pr-no-sandbox.invalid.yml at line 731, The "Why MCP tools instead of scripts" paragraph contradicts the "Automatic snapshots are disabled" section; update that paragraph to state that page state is NOT automatically returned and must be explicitly captured with browser_snapshot or browser_take_screenshot (or other inspection tools) when using the listed tools (browser_navigate, browser_click, browser_type, browser_run_code, browser_wait_for, browser_take_screenshot, browser_snapshot). Edit the text under the "Why MCP tools instead of scripts" heading to replace "you see the page state after each action" with a clear instruction that agents must call browser_snapshot or browser_take_screenshot to inspect page state on demand. Ensure the guidance about on-demand interactivity and not using automatic snapshots is consistent across the document..github/workflows/gh-aw-scheduled-audit.lock.yml-575-575 (1)
575-575:⚠️ Potential issue | 🟡 MinorThe prompt still describes the old auto-snapshot model.
This block says automatic snapshots are disabled, but later says MCP tools let the agent "see the page state after each action." With
--snapshot-mode none, page state is only available after an explicitbrowser_snapshot, so the prompt is teaching both models at once.Based on learnings,
.lock.ymlfiles here are generated bygh aw compile, so the wording fix belongs in the source fragment and should be recompiled.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-scheduled-audit.lock.yml at line 575, Update the prompt text so it no longer contradicts the configured snapshot mode: modify the paragraph that currently begins "Automatic snapshots are disabled" and the sentence "MCP tools are interactive: you see the page state after each action" to clearly state that with --snapshot-mode none the agent only sees page state after an explicit browser_snapshot (or browser_take_screenshot) call; then recompile the generated lock file using the gh aw compile pipeline that produces this .lock.yml so the change propagates..github/workflows/gh-aw-pr-review-addresser.lock.yml-566-567 (1)
566-567:⚠️ Potential issue | 🟡 MinorGOROOT capture runs unconditionally but Go setup is conditional.
The "Setup Go" step (line 560-565) is gated by
hashFiles('go.mod') != '', but "Capture GOROOT" runs always. When nogo.modexists, this captures the runner's default Go version rather than 1.25, potentially causing AWF chroot mode mismatches.Since this is an auto-generated lock file, the fix should be applied to the source
.mdfile by adding the same condition to the GOROOT capture step.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-pr-review-addresser.lock.yml around lines 566 - 567, The "Capture GOROOT for AWF chroot mode" step currently runs unconditionally; update the source .md workflow snippet so that this step includes the same gating condition as the "Setup Go" step (i.e., if: hashFiles('go.mod') != ''), ensuring GOROOT is only captured when Go is set up (reference the step named "Capture GOROOT for AWF chroot mode" and the condition hashFiles('go.mod') != '' so the change is applied to the generated lock via the source .md)..github/workflows/gh-aw-create-pr-from-issue.lock.yml-539-539 (1)
539-539:⚠️ Potential issue | 🟡 MinorFix contradictory Playwright guidance in the snapshot-on-demand instructions.
This block says auto snapshots are disabled, but later says agents “see the page state after each action.” That contradiction can cause missed explicit
browser_snapshotcalls.✏️ Proposed wording update (in source fragment)
- MCP tools are interactive: you see the page state after each action and - decide what to do next. + MCP tools are interactive, but with `--snapshot-mode none` you only see + page state when you explicitly call `browser_snapshot` or + `browser_take_screenshot`.Based on learnings: this
.lock.ymlis generated bygh aw compile; update the source Markdown fragment and recompile.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-create-pr-from-issue.lock.yml at line 539, Update the Playwright MCP Tools markdown fragment to remove the contradiction: replace the sentence claiming agents “see the page state after each action” with a clear statement that automatic snapshots are disabled and agents must explicitly call browser_snapshot or browser_take_screenshot to capture page state after actions; adjust guidance in the "Automatic snapshots are disabled" and "Why MCP tools instead of scripts" sections to consistently state that page state is not returned automatically and to show examples of when to call browser_snapshot, browser_run_code, or browser_take_screenshot; then recompile the generated .lock.yml via the gh aw compile step that produces the file.
🧹 Nitpick comments (4)
.github/workflows/gh-aw-text-auditor.lock.yml (1)
739-740: GateCapture GOROOTwith the same Go detection condition.
Capture GOROOTcurrently runs unconditionally, while Go setup is conditional. Aligning conditions makes this block more robust for non-Go repos/runners.Proposed adjustment (apply in the source workflow `.md`/fragment, then recompile)
- name: Capture GOROOT for AWF chroot mode + if: hashFiles('go.mod') != '' run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV"Based on learnings:
.lock.ymlshould be regenerated from source.mdfiles rather than edited directly.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-text-auditor.lock.yml around lines 739 - 740, Gate the "Capture GOROOT for AWF chroot mode" step so it only runs when the workflow's Go-detection condition is true (the same conditional used to decide whether to run the Go setup step), e.g., add the identical if: condition that guards the Go setup to the step with name "Capture GOROOT for AWF chroot mode" (so the echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" runs only when Go is present); after changing the source fragment (.md) recompile/generate the .lock.yml instead of editing the lock file directly..github/workflows/gh-aw-internal-gemini-cli.lock.yml (1)
1027-1033: Pin the Playwright MCP image before relying on--snapshot-mode.Lines 1027-1033 make the workflow depend on a specific Playwright MCP feature set, but the container on Line 1018 is still floating
mcr.microsoft.com/playwright/mcp. A future image update can silently change or drop this contract. Pin the image tag or digest to the version validated withbrowser_run_codeand--snapshot-mode none.Based on learnings, files under
.github/workflowswith the.lock.ymlextension are auto-generated by runninggh aw compile, so this should be fixed in the source Markdown/fragment and then recompiled.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-internal-gemini-cli.lock.yml around lines 1027 - 1033, The workflow currently passes "--snapshot-mode none" in the entrypointArgs but uses an unpinned container image "mcr.microsoft.com/playwright/mcp", which risks future breaks; update the source Markdown/fragment that generates this .lock.yml to pin the Playwright MCP image to the validated tag or digest (replace "mcr.microsoft.com/playwright/mcp" with the exact tag or digest you validated with browser_run_code and --snapshot-mode none), then re-run "gh aw compile" to regenerate the .github/workflows/*.lock.yml files so the compiled file will include the pinned image..github/workflows/gh-aw-agent-suggestions.lock.yml (1)
602-603: GuardCapture GOROOTwith the same condition assetup-go.Line 603 runs even when Line 598 skips Go setup. This makes the step depend on whatever Go happens to be preinstalled on the runner. Add the same
if: hashFiles('go.mod') != ''guard here.♻️ Proposed fix
- name: Capture GOROOT for AWF chroot mode + if: hashFiles('go.mod') != '' run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV"Based on learnings: files under
.github/workflowswith.lock.ymlare generated viagh aw compile, so apply this change in the source.mdfragment and recompile.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-agent-suggestions.lock.yml around lines 602 - 603, The "Capture GOROOT for AWF chroot mode" step currently runs unconditionally and should be guarded the same way as the Go setup step; add the same if: hashFiles('go.mod') != '' condition to the step named "Capture GOROOT for AWF chroot mode" so it only runs when go.mod is present (mirror the condition used by the setup-go step), and then regenerate the workflow from the corresponding .md fragment and recompile with gh aw compile..github/workflows/gh-aw-deep-research.lock.yml (1)
544-549: Consider deduplicating Node setup in this job.
Setup Node.jshere can overlap with the unconditional Node setup at Line 607, so this may do redundant work on runs where both execute.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-deep-research.lock.yml around lines 544 - 549, The "Setup Node.js" step (uses: actions/setup-node@... with node-version: '24' and package-manager-cache: false) is duplicated later unconditionally; remove or consolidate so Node is only set up once: either delete this conditional step and rely on the unconditional setup at the later "Setup Node.js" step, or merge them by keeping one "Setup Node.js" step and adding the condition (if: hashFiles('.node-version') != '' || hashFiles('.nvmrc') != '') or expanding its condition to cover all job paths—update only the step named "Setup Node.js" to avoid redundant runs.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/gh-aw-code-complexity-detector.lock.yml:
- Around line 716-744: The workflow hardcodes tool versions (go-version: '1.25',
node-version: '24', python-version: '3.12', ruby-version: '3.3') while only
using hashFiles(...) existence checks; update the runtime-setup fragment
(runtime-setup.md) so the "Setup Go" (actions/setup-go), "Setup Node.js"
(actions/setup-node), "Setup Python" (actions/setup-python) and "Setup Ruby"
(ruby/setup-ruby) steps derive their version inputs from the caller repo’s pin
files (e.g., read go.mod/go toolchain pin, .nvmrc or .node-version,
.python-version, .ruby-version) instead of hardcoding defaults, keep the
conditional presence checks but pass the file contents (or parsed values) into
the corresponding with: version fields so generated .lock.yml emits the
repo-declared runtime versions.
In @.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml:
- Around line 549-556: The "Capture GOROOT for AWF chroot mode" step runs
unconditionally while the preceding "Setup Go" step is conditional, causing
failures when go is not installed; update the "Capture GOROOT" step to use the
same condition (if: hashFiles('go.mod') != '') so `go env GOROOT` only runs when
Go was detected, and then update the source workflow fragment where these steps
are defined and regenerate the locked workflow with `gh aw compile`.
In @.github/workflows/gh-aw-fragments/runtime-setup.md:
- Around line 2-4: The workflow condition currently only checks
hashFiles('go.mod') and therefore misses repositories rooted by go.work; update
the if condition on the Go runtime (the "if: hashFiles('go.mod') != ''" line
under runtimes.go) to also check for go.work, e.g. change it to evaluate
hashFiles('go.mod') != '' || hashFiles('go.work') != '' so the Go setup runs for
repos with either file.
In @.github/workflows/gh-aw-internal-gemini-cli.lock.yml:
- Around line 577-578: The Playwright instructions write an example snapshot
path to /tmp/gh-aw/agent/page.md which is not mounted back to the host; update
the example in the Playwright instructions (the heredoc written by the "Write
Playwright instructions to disk" step that contains the browser_snapshot(...)
example) to use a shared mount such as /tmp/gh-aw/mcp-logs/playwright/page.md
(or note mounting /tmp/gh-aw/agent as an alternative), and then fix the upstream
source Markdown/fragment that generates this .lock.yml and re-run gh aw compile
so the change persists.
In @.github/workflows/gh-aw-mention-in-issue-by-id.lock.yml:
- Around line 521-527: The "Capture GOROOT for AWF chroot mode" step is running
unconditionally and should be gated by the same Go-detection condition as the
"Setup Go" step; update the source workflow fragment (the .md snippet that
generates this .lock.yml) to wrap the step named "Capture GOROOT for AWF chroot
mode" with the same if: hashFiles('go.mod') != '' condition (or move the echo
into the conditional block), then regenerate the lock file with `gh aw compile`
so the generated .github/workflows/gh-aw-mention-in-issue-by-id.lock.yml has the
GOROOT capture step behind the Go detection gate.
In @.github/workflows/gh-aw-mention-in-pr.invalid.yml:
- Around line 721-726: The "Capture GOROOT for AWF chroot mode" step currently
runs unconditionally and should be guarded with the same condition used for the
Go setup; update the step titled "Capture GOROOT for AWF chroot mode" to include
the if: hashFiles('go.mod') != '' condition (the same conditional used by the
actions/setup-go step) so the echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV"
only runs when go.mod exists and actions/setup-go was executed.
In @.github/workflows/gh-aw-pr-actions-detective.lock.yml:
- Around line 519-545: The runtime setup hardcodes versions in the workflow
steps ("Setup Go", "Setup Node.js", "Setup Python", "Setup Ruby", "Setup uv")
instead of using repo-declared pins; update the runtime-setup.md fragment so
each setup step reads the repo version files (e.g., parse go.mod/go version,
.nvmrc or .node-version, .python-version, .ruby-version, and
pyproject.toml/uv.lock as needed) in a preceding step, expose them as outputs or
environment variables, and wire those variables into the corresponding uses
input fields (go-version, node-version, python-version, ruby-version, etc.) so
the actions consume the actual repo-declared versions rather than hardcoded
defaults.
In @.github/workflows/gh-aw-pr-labeler.lock.yml:
- Around line 432-447: The workflow currently ignores repo runtime pins by
hardcoding Node 24, Python 3.12 and Ruby 3.3; update the shared workflow source
(the .md that generates these .lock.yml files) so the setup steps read the repo
pin files and pass those values into the setup actions instead of hardcoding
versions: keep the existing existence checks (hashFiles('.nvmrc') etc.), read
the contents of .nvmrc/.node-version/.python-version/.ruby-version and set
node-version/python-version/ruby-version to those values for the corresponding
actions (the steps using actions/setup-node, actions/setup-python and
ruby/setup-ruby referenced in the diff), then re-run gh aw compile to regenerate
the .lock.yml; do not edit the generated .lock.yml directly.
In @.github/workflows/gh-aw-refactor-opportunist.lock.yml:
- Around line 629-630: The "Capture GOROOT for AWF chroot mode" step currently
runs unconditionally; guard it with the same condition used by the "Setup Go"
step so it only runs when Go is being configured (e.g., check the same input/if
expression or matrix key used by the Setup Go step). Update the workflow source
(.md generator) so the `echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV"` run is
wrapped in the same conditional (the same if: or condition expression) as the
Setup Go step, then re-run the generator (gh aw compile) to regenerate the
.lock.yml.
In @.github/workflows/gh-aw-scheduled-audit.lock.yml:
- Around line 968-969: The Playwright snapshot path is not shared with the host:
either add the agent snapshot directory to the container mounts or change the
agent prompt to write to the already-mounted logs dir; specifically update the
container config referenced by "entrypointArgs" / "mounts" so that the path used
by browser_snapshot(filename="/tmp/gh-aw/agent/page.md") is mount-bound (e.g.,
add "/tmp/gh-aw/agent:/tmp/gh-aw/agent:rw") or modify the agent prompt to save
snapshots under "/tmp/gh-aw/mcp-logs", then recompile via your gh aw compile
input/source fragment so the .lock.yml is regenerated.
In @.github/workflows/gh-aw-scheduled-fix.lock.yml:
- Around line 544-556: The "Setup Python" job step only checks for
.python-version and misses repos that are Python-only via uv
(pyproject.toml/uv.lock), causing runners to use the default interpreter; update
the step's if expression for the "Setup Python" step to also consider
pyproject.toml and uv.lock (e.g., change the hashFiles call used in the "Setup
Python" step to include 'pyproject.toml' and 'uv.lock' so it runs for uv-only
repos) and make the change in the upstream workflow fragment/Markdown that
generates the .lock.yml so the compiled file is regenerated with the new
condition.
In @.github/workflows/gh-aw-stale-issues-remediator.lock.yml:
- Around line 447-449: The "Capture GOROOT for AWF chroot mode" step runs
unconditionally but depends on Go being available; mirror the existing guard
used on the "Setup Go" step (if: hashFiles('go.mod') != '') so the Capture
GOROOT step only runs when go.mod exists and Setup Go executes. Locate the step
titled "Capture GOROOT for AWF chroot mode" and add the same if:
hashFiles('go.mod') != '' conditional to it (matching the "Setup Go" step) to
prevent running go env when Go isn't set up.
---
Minor comments:
In @.github/workflows/agent-deep-dive.lock.yml:
- Around line 539-563: Update the ruby/setup-ruby action reference used in the
workflow (the line starting with "uses:
ruby/setup-ruby@4eb9f110bac952a8b68ecf92e3b5c7a987594ba6") to the new release
tag v1.293.0; replace the existing pinned commit/hash with
"ruby/setup-ruby@v1.293.0" so the workflow uses the March 14, 2026 release.
In @.github/workflows/gh-aw-create-pr-from-issue.lock.yml:
- Line 539: Update the Playwright MCP Tools markdown fragment to remove the
contradiction: replace the sentence claiming agents “see the page state after
each action” with a clear statement that automatic snapshots are disabled and
agents must explicitly call browser_snapshot or browser_take_screenshot to
capture page state after actions; adjust guidance in the "Automatic snapshots
are disabled" and "Why MCP tools instead of scripts" sections to consistently
state that page state is not returned automatically and to show examples of when
to call browser_snapshot, browser_run_code, or browser_take_screenshot; then
recompile the generated .lock.yml via the gh aw compile step that produces the
file.
In @.github/workflows/gh-aw-mention-in-issue-by-id.lock.yml:
- Line 557: The Playwright guidance in the heredoc created by the "cat >
/tmp/playwright-instructions.md << 'EOF'" step is inconsistent: it says
automatic snapshots are disabled but later claims "you see the page state after
each action." Edit the source .md fragment (not this lockfile) to clarify that
automatic snapshots are disabled and that actions do NOT automatically reveal
page state (explain how to capture state via explicit snapshot/screenshot or
browser_run_code), then regenerate the compiled artifact by running "gh aw
compile" so the updated text replaces the heredoc content used by the workflow.
In @.github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml:
- Line 605: The guidance text incorrectly states that MCP tools let the agent
"see the page state after each action" while earlier noting automatic snapshots
are disabled; update the source .md fragment so the paragraph that currently
begins "MCP tools are interactive: you see the page state after each action and
decide what to do next." explicitly says automatic snapshots are disabled and
that the agent must call browser_snapshot or browser_take_screenshot (or other
inspection tools) to view page state after actions; then recompile with gh aw
compile to regenerate the .lock.yml.
In @.github/workflows/gh-aw-mention-in-pr-no-sandbox.invalid.yml:
- Line 731: The "Why MCP tools instead of scripts" paragraph contradicts the
"Automatic snapshots are disabled" section; update that paragraph to state that
page state is NOT automatically returned and must be explicitly captured with
browser_snapshot or browser_take_screenshot (or other inspection tools) when
using the listed tools (browser_navigate, browser_click, browser_type,
browser_run_code, browser_wait_for, browser_take_screenshot, browser_snapshot).
Edit the text under the "Why MCP tools instead of scripts" heading to replace
"you see the page state after each action" with a clear instruction that agents
must call browser_snapshot or browser_take_screenshot to inspect page state on
demand. Ensure the guidance about on-demand interactivity and not using
automatic snapshots is consistent across the document.
In @.github/workflows/gh-aw-mention-in-pr.invalid.yml:
- Line 764: The doc has an internal contradiction: the header "Automatic
snapshots are disabled" and the sentence "MCP tools are interactive: you see the
page state after each action and decide what to do next." conflict; update the
wording so both statements align by clarifying that actions do not return page
state and that agents must explicitly capture state with snapshot/screenshot
tools. Specifically, change the sentence that begins "MCP tools are interactive:
you see the page state after each action and decide what to do next." to
something like "MCP tools are interactive: actions do not return page state
automatically — use browser_snapshot or browser_take_screenshot (or
browser_run_code results) to inspect the page after actions," and ensure the
"Automatic snapshots are disabled" section explains snapshot-on-demand and when
to use browser_snapshot/browser_take_screenshot.
In @.github/workflows/gh-aw-pr-review-addresser.lock.yml:
- Around line 566-567: The "Capture GOROOT for AWF chroot mode" step currently
runs unconditionally; update the source .md workflow snippet so that this step
includes the same gating condition as the "Setup Go" step (i.e., if:
hashFiles('go.mod') != ''), ensuring GOROOT is only captured when Go is set up
(reference the step named "Capture GOROOT for AWF chroot mode" and the condition
hashFiles('go.mod') != '' so the change is applied to the generated lock via the
source .md).
In @.github/workflows/gh-aw-project-summary.lock.yml:
- Around line 569-582: Update the "Setup Go" action to use Go 1.26.1 by changing
the go-version input in the Setup Go step (the job entry with name "Setup Go" /
uses: actions/setup-go@4b73464...) from '1.25' to '1.26.1'; keep the rest of the
step (cache: false and the conditional hashFiles('go.mod')) unchanged so the
workflow targets the new Go release.
In @.github/workflows/gh-aw-scheduled-audit.lock.yml:
- Line 575: Update the prompt text so it no longer contradicts the configured
snapshot mode: modify the paragraph that currently begins "Automatic snapshots
are disabled" and the sentence "MCP tools are interactive: you see the page
state after each action" to clearly state that with --snapshot-mode none the
agent only sees page state after an explicit browser_snapshot (or
browser_take_screenshot) call; then recompile the generated lock file using the
gh aw compile pipeline that produces this .lock.yml so the change propagates.
---
Nitpick comments:
In @.github/workflows/gh-aw-agent-suggestions.lock.yml:
- Around line 602-603: The "Capture GOROOT for AWF chroot mode" step currently
runs unconditionally and should be guarded the same way as the Go setup step;
add the same if: hashFiles('go.mod') != '' condition to the step named "Capture
GOROOT for AWF chroot mode" so it only runs when go.mod is present (mirror the
condition used by the setup-go step), and then regenerate the workflow from the
corresponding .md fragment and recompile with gh aw compile.
In @.github/workflows/gh-aw-deep-research.lock.yml:
- Around line 544-549: The "Setup Node.js" step (uses: actions/setup-node@...
with node-version: '24' and package-manager-cache: false) is duplicated later
unconditionally; remove or consolidate so Node is only set up once: either
delete this conditional step and rely on the unconditional setup at the later
"Setup Node.js" step, or merge them by keeping one "Setup Node.js" step and
adding the condition (if: hashFiles('.node-version') != '' ||
hashFiles('.nvmrc') != '') or expanding its condition to cover all job
paths—update only the step named "Setup Node.js" to avoid redundant runs.
In @.github/workflows/gh-aw-internal-gemini-cli.lock.yml:
- Around line 1027-1033: The workflow currently passes "--snapshot-mode none" in
the entrypointArgs but uses an unpinned container image
"mcr.microsoft.com/playwright/mcp", which risks future breaks; update the source
Markdown/fragment that generates this .lock.yml to pin the Playwright MCP image
to the validated tag or digest (replace "mcr.microsoft.com/playwright/mcp" with
the exact tag or digest you validated with browser_run_code and --snapshot-mode
none), then re-run "gh aw compile" to regenerate the
.github/workflows/*.lock.yml files so the compiled file will include the pinned
image.
In @.github/workflows/gh-aw-text-auditor.lock.yml:
- Around line 739-740: Gate the "Capture GOROOT for AWF chroot mode" step so it
only runs when the workflow's Go-detection condition is true (the same
conditional used to decide whether to run the Go setup step), e.g., add the
identical if: condition that guards the Go setup to the step with name "Capture
GOROOT for AWF chroot mode" (so the echo "GOROOT=$(go env GOROOT)" >>
"$GITHUB_ENV" runs only when Go is present); after changing the source fragment
(.md) recompile/generate the .lock.yml instead of editing the lock file
directly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 35b8d350-d20d-423c-b5d0-3323bdd9606f
📒 Files selected for processing (62)
.github/workflows/agent-deep-dive.lock.yml.github/workflows/agent-efficiency.lock.yml.github/workflows/gh-aw-agent-suggestions.lock.yml.github/workflows/gh-aw-autonomy-atomicity-analyzer.lock.yml.github/workflows/gh-aw-branch-actions-detective.lock.yml.github/workflows/gh-aw-breaking-change-detect.lock.yml.github/workflows/gh-aw-breaking-change-detector.lock.yml.github/workflows/gh-aw-bug-hunter.lock.yml.github/workflows/gh-aw-code-complexity-detector.lock.yml.github/workflows/gh-aw-code-duplication-detector.lock.yml.github/workflows/gh-aw-code-quality-audit.lock.yml.github/workflows/gh-aw-create-pr-from-issue.lock.yml.github/workflows/gh-aw-deep-research.lock.yml.github/workflows/gh-aw-dependency-review.lock.yml.github/workflows/gh-aw-docs-drift.lock.yml.github/workflows/gh-aw-docs-patrol.lock.yml.github/workflows/gh-aw-estc-actions-resource-not-accessible-detector.lock.yml.github/workflows/gh-aw-estc-docs-patrol-external.lock.yml.github/workflows/gh-aw-estc-docs-pr-review.lock.yml.github/workflows/gh-aw-estc-downstream-health.lock.yml.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml.github/workflows/gh-aw-flaky-test-investigator.lock.yml.github/workflows/gh-aw-fragments/runtime-setup.md.github/workflows/gh-aw-framework-best-practices.lock.yml.github/workflows/gh-aw-information-architecture.lock.yml.github/workflows/gh-aw-internal-gemini-cli-web-search.lock.yml.github/workflows/gh-aw-internal-gemini-cli.lock.yml.github/workflows/gh-aw-issue-fixer.lock.yml.github/workflows/gh-aw-issue-triage.lock.yml.github/workflows/gh-aw-mention-in-issue-by-id.lock.yml.github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml.github/workflows/gh-aw-mention-in-issue.lock.yml.github/workflows/gh-aw-mention-in-pr-by-id.invalid.yml.github/workflows/gh-aw-mention-in-pr-no-sandbox.invalid.yml.github/workflows/gh-aw-mention-in-pr.invalid.yml.github/workflows/gh-aw-newbie-contributor-patrol.lock.yml.github/workflows/gh-aw-performance-profiler.lock.yml.github/workflows/gh-aw-plan.lock.yml.github/workflows/gh-aw-pr-actions-detective.lock.yml.github/workflows/gh-aw-pr-actions-fixer.lock.yml.github/workflows/gh-aw-pr-ci-detective.lock.yml.github/workflows/gh-aw-pr-labeler.lock.yml.github/workflows/gh-aw-pr-review-addresser.lock.yml.github/workflows/gh-aw-pr-review.lock.yml.github/workflows/gh-aw-product-manager-impersonator.lock.yml.github/workflows/gh-aw-project-summary.lock.yml.github/workflows/gh-aw-refactor-opportunist.lock.yml.github/workflows/gh-aw-release-update.lock.yml.github/workflows/gh-aw-scheduled-audit.lock.yml.github/workflows/gh-aw-scheduled-fix.lock.yml.github/workflows/gh-aw-small-problem-fixer.lock.yml.github/workflows/gh-aw-stale-issues-investigator.lock.yml.github/workflows/gh-aw-stale-issues-remediator.lock.yml.github/workflows/gh-aw-stale-issues.lock.yml.github/workflows/gh-aw-test-coverage-detector.lock.yml.github/workflows/gh-aw-text-auditor.lock.yml.github/workflows/gh-aw-update-pr-body.lock.yml.github/workflows/gh-aw-ux-design-patrol.lock.yml.github/workflows/internal-downstream-health.lock.yml.github/workflows/upgrade-check.lock.yml.github/workflows/workflow-patrol.lock.yml
✅ Files skipped from review due to trivial changes (1)
- .github/workflows/workflow-patrol.lock.yml
.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml
Outdated
Show resolved
Hide resolved
Comment on lines
2
to
4
| runtimes: | ||
| go: | ||
| if: hashFiles('go.mod') != '' |
There was a problem hiding this comment.
Detect go.work roots too.
hashFiles('go.mod') misses valid Go repos that are rooted by go.work instead of a top-level go.mod, so those callers will skip Go setup entirely.
Suggested fix
go:
- if: hashFiles('go.mod') != ''
+ if: hashFiles('go.mod', 'go.work') != ''📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| runtimes: | |
| go: | |
| if: hashFiles('go.mod') != '' | |
| runtimes: | |
| go: | |
| if: hashFiles('go.mod', 'go.work') != '' |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-fragments/runtime-setup.md around lines 2 - 4, The
workflow condition currently only checks hashFiles('go.mod') and therefore
misses repositories rooted by go.work; update the if condition on the Go runtime
(the "if: hashFiles('go.mod') != ''" line under runtimes.go) to also check for
go.work, e.g. change it to evaluate hashFiles('go.mod') != '' ||
hashFiles('go.work') != '' so the Go setup runs for repos with either file.
Comment on lines
+521
to
+527
| if: hashFiles('go.mod') != '' | ||
| with: | ||
| go-version: '1.25' | ||
| cache: false | ||
| - name: Capture GOROOT for AWF chroot mode | ||
| run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" | ||
| - name: Create gh-aw temp directory | ||
| run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh | ||
| - if: hashFiles('.python-version') != '' | ||
| name: Setup Python | ||
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | ||
| with: | ||
| python-version-file: .python-version | ||
| - if: hashFiles('.node-version') != '' | ||
| name: Setup Node.js (.node-version) | ||
| uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 | ||
| - name: Setup Node.js |
There was a problem hiding this comment.
Gate Capture GOROOT with the same Go detection condition.
Setup Go is now conditional, but go env GOROOT still runs unconditionally. On environments without go in PATH, this can fail the job.
Suggested fix
- name: Capture GOROOT for AWF chroot mode
+ if: hashFiles('go.mod') != ''
run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV"Based on learnings: this .lock.yml is generated; apply the fix in the corresponding source .md workflow fragment and regenerate with gh aw compile.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-mention-in-issue-by-id.lock.yml around lines 521 -
527, The "Capture GOROOT for AWF chroot mode" step is running unconditionally
and should be gated by the same Go-detection condition as the "Setup Go" step;
update the source workflow fragment (the .md snippet that generates this
.lock.yml) to wrap the step named "Capture GOROOT for AWF chroot mode" with the
same if: hashFiles('go.mod') != '' condition (or move the echo into the
conditional block), then regenerate the lock file with `gh aw compile` so the
generated .github/workflows/gh-aw-mention-in-issue-by-id.lock.yml has the GOROOT
capture step behind the Go detection gate.
Comment on lines
+629
to
+630
| - name: Capture GOROOT for AWF chroot mode | ||
| run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV" |
There was a problem hiding this comment.
Guard Capture GOROOT with the same Go detection condition.
Line 629/630 currently runs unconditionally, but Setup Go is conditional. In non-Go repos (or if runner images change), this can fail the job or capture an unintended system Go path.
Proposed fix
- name: Capture GOROOT for AWF chroot mode
+ if: hashFiles('go.mod') != ''
run: echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV"Based on learnings: since this .lock.yml is generated, apply this change in the corresponding workflow .md source and re-run gh aw compile.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-refactor-opportunist.lock.yml around lines 629 -
630, The "Capture GOROOT for AWF chroot mode" step currently runs
unconditionally; guard it with the same condition used by the "Setup Go" step so
it only runs when Go is being configured (e.g., check the same input/if
expression or matrix key used by the Setup Go step). Update the workflow source
(.md generator) so the `echo "GOROOT=$(go env GOROOT)" >> "$GITHUB_ENV"` run is
wrapped in the same conditional (the same if: or condition expression) as the
Setup Go step, then re-run the generator (gh aw compile) to regenerate the
.lock.yml.
…atter" This reverts commit ca02c77.
strawgate
changed the title
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| `browser_run_code` do NOT return page state. You choose when to | ||
| inspect the page. | ||
|
|
||
| ## Batch actions with `browser_run_code` |
Contributor
There was a problem hiding this comment.
This fragment expansion appears to push downstream compiled workflows over GitHub’s template-expression size limit.
I verified this on the PR branch by running make compile, which now fails for multiple workflows that import this fragment (gh-aw-mention-in-pr.md, gh-aw-mention-in-pr-by-id.md, gh-aw-mention-in-pr-no-sandbox.md) with:
expression value for "run" (...) exceeds maximum allowed size (20.5 KB).
Because this blocks workflow compilation, please trim this fragment (especially large inline examples) or move detailed examples to a referenced doc so imported run blocks stay under the limit.
…et-pr-number
- Remove gh-aw-mention-in-issue-by-id (unused)
- Remove gh-aw-mention-in-pr-by-id, replace with gh-aw-pr-conflict-addresser
tailored for merge conflict resolution with minimal safe outputs
- Remove target-pr-number input from all PR workflows and safe-output
fragments — event-triggered workflows use 'triggering' target instead
- Fix snapshot path in playwright fragment (/tmp/gh-aw/agent/ -> /tmp/gh-aw/mcp-logs/)
- This eliminates the ${{ }} expression in the safe-outputs tools.json
block, fixing the mention-in-pr 21KB expression size compilation failure
- Delete stale .invalid.yml artifacts now that mention-in-pr compiles
Made-with: Cursor
strawgate
changed the title
| safe-outputs: | ||
| push-to-pull-request-branch: | ||
| target: "${{ inputs.target-pr-number || 'triggering' }}" | ||
| target: "triggering" |
Contributor
There was a problem hiding this comment.
This hardcoded target breaks workflow_dispatch flows that operate on an explicit PR number.
gh-aw-pr-conflict-addresser is dispatch-driven and later calls push_to_pull_request_branch, but after this change the compiled safe-output config sets "target":"triggering". On a dispatch run there is no triggering PR context, so the push tool can’t reliably resolve the intended PR branch.
Please keep the generic fragment default, but override this workflow to use the explicit input target (for example in gh-aw-pr-conflict-addresser.md: target: "$\{\{ inputs.target-pr-number }}" for push), or restore the fallback expression here.
There was a problem hiding this comment.
Actionable comments posted: 5
♻️ Duplicate comments (1)
.github/workflows/gh-aw-fragments/playwright-mcp-explorer.md (1)
49-50:⚠️ Potential issue | 🟡 MinorMake the POST example self-contained.
Line 49 uses
urlanddatawithout local definition, so the snippet is not copy/paste-ready.Suggested doc fix
async (page) => { + const url = 'https://example.test/api'; + const data = { foo: 'bar' }; const res = await page.request.post(url, {data}); const json = await res.json();🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-fragments/playwright-mcp-explorer.md around lines 49 - 50, The snippet calls page.request.post(url, {data}) and then res.json() but never defines url or data, so make the example self-contained by declaring those values locally before the POST; add e.g. a const url = 'https://example.com/endpoint' (or build from variables) and a const data = { /* payload */ } (or FormData) immediately above the page.request.post call so page.request.post and the subsequent const json = await res.json() can be copy/pasted and run as-is.
🧹 Nitpick comments (2)
.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml (1)
585-586: Optional: rename this step to match its new behavior.The step still says “Expose uv in workspace”, but it now symlinks into
/opt/hostedtoolcache/.../bin. Renaming would reduce confusion during debugging.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml around lines 585 - 586, The job step named "Expose uv in workspace" no longer exposes uv in the workspace but instead symlinks UV into the toolcache bin path; rename the step title string "Expose uv in workspace" to something more accurate (e.g., "Symlink uv into hostedtoolcache bin" or similar) so it reflects the new behavior and reduces confusion during debugging; update the step name while leaving the run block (the script that creates toolcache_bin, mkdir -p and ln -sf \"$UV_PATH\" \"$toolcache_bin/uv\") unchanged..github/workflows/gh-aw-product-manager-impersonator.lock.yml (1)
685-686: Rename the step to match new behavior.
name: Expose uv in workspaceis now misleading since the command writes to/opt/hostedtoolcache/.../bin. Renaming will make logs clearer.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/gh-aw-product-manager-impersonator.lock.yml around lines 685 - 686, The step name "Expose uv in workspace" is misleading because the script creates a symlink under /opt/hostedtoolcache/.../bin (variable toolcache_bin) rather than exposing it in the workspace; rename the step to reflect the new behavior (for example "Link uv into hostedtoolcache bin" or similar) by updating the name field that currently reads "Expose uv in workspace" and keep the existing command that uses toolcache_bin and UV_PATH unchanged so logs accurately reflect the action.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml:
- Around line 653-660: The workflow currently defaults the add_comment tool's
target to "triggering" in the safe outputs tools JSON (see add_comment and
safeoutputs/tools.json block), which is invalid for a status/check-run workflow
that discovers the PR later; instead either remove the default target and
require the agent to supply item_number after the PR is resolved, or set an
explicit PR/issue target at generation time by updating the source workflow
fragment that produces the GH_AW_SAFE_OUTPUTS_TOOLS_EOF entry so the compiled
.lock.yml contains a specific target (or validation that item_number is
mandatory) and then recompile with gh aw compile.
In @.github/workflows/gh-aw-fragments/runtime-setup.md:
- Around line 47-50: The script currently hardcodes
toolcache_bin="/opt/hostedtoolcache/gh-aw-tools/current/x64/bin" and creates a
symlink to "$UV_PATH" but neither documents gh-aw's scanning behavior nor
ensures the new bin dir is on PATH; update the file to (1) remove the x64
hardcode by deriving the architecture (replace the literal "x64" usage around
toolcache_bin) so ARM runners are supported, and (2) after creating the symlink
to "$toolcache_bin/uv" export the new directory into PATH (export
PATH="$toolcache_bin:$PATH") or add a clear comment referencing gh-aw's scan
behavior if you prefer to rely on automatic discovery; reference toolcache_bin,
UV_PATH and the created symlink "uv" when making the change.
In @.github/workflows/gh-aw-issue-triage.lock.yml:
- Around line 976-977: The workflow currently relies on an unpinned Playwright
MCP image while using the CLI-only flag "--snapshot-mode none" in
"entrypointArgs", which is only supported in v0.0.51+; update the job to pin the
Playwright MCP image to v0.0.51 or later (replace the floating/untagged image
reference with an explicit :v0.0.51 or newer tag) so that the "--snapshot-mode
none" option in entrypointArgs will be supported and mounts (e.g., "mounts":
["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"]) continue to work consistently.
In @.github/workflows/gh-aw-mention-in-pr.lock.yml:
- Around line 180-185: The workflow references a non-existent step ID
resolve-host-repo in the "Cross-repo setup guidance" step, so either remove that
entire "Cross-repo setup guidance" step from the source .md or add a step that
sets outputs.target_repo with the ID resolve-host-repo; after updating the
source, recompile with gh aw compile. Ensure the added step uses the ID
resolve-host-repo and exposes outputs.target_repo (or drop the step and its
conditional if cross-repo guidance is not needed) so the condition if: failure()
&& steps.resolve-host-repo.outputs.target_repo != github.repository can evaluate
correctly.
In @.github/workflows/gh-aw-mention-in-pr.md:
- Line 29: The concurrency/group and any PR-identity expressions that currently
use github.event.issue.* (e.g., the group value "gh-aw-copilot-${{
github.workflow }}-mention-pr-${{ github.event.issue.number }}") must fall back
to pull_request values when available; replace each occurrence with a safe
expression that prefers github.event.pull_request.number and falls back to
github.event.issue.number (for example: use ${{ github.event.pull_request.number
|| github.event.issue.number }} or the ternary equivalent) and apply the same
pattern to all instances mentioned (the group lines and any other expressions at
the locations referenced).
---
Duplicate comments:
In @.github/workflows/gh-aw-fragments/playwright-mcp-explorer.md:
- Around line 49-50: The snippet calls page.request.post(url, {data}) and then
res.json() but never defines url or data, so make the example self-contained by
declaring those values locally before the POST; add e.g. a const url =
'https://example.com/endpoint' (or build from variables) and a const data = { /*
payload */ } (or FormData) immediately above the page.request.post call so
page.request.post and the subsequent const json = await res.json() can be
copy/pasted and run as-is.
---
Nitpick comments:
In @.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml:
- Around line 585-586: The job step named "Expose uv in workspace" no longer
exposes uv in the workspace but instead symlinks UV into the toolcache bin path;
rename the step title string "Expose uv in workspace" to something more accurate
(e.g., "Symlink uv into hostedtoolcache bin" or similar) so it reflects the new
behavior and reduces confusion during debugging; update the step name while
leaving the run block (the script that creates toolcache_bin, mkdir -p and ln
-sf \"$UV_PATH\" \"$toolcache_bin/uv\") unchanged.
In @.github/workflows/gh-aw-product-manager-impersonator.lock.yml:
- Around line 685-686: The step name "Expose uv in workspace" is misleading
because the script creates a symlink under /opt/hostedtoolcache/.../bin
(variable toolcache_bin) rather than exposing it in the workspace; rename the
step to reflect the new behavior (for example "Link uv into hostedtoolcache bin"
or similar) by updating the name field that currently reads "Expose uv in
workspace" and keep the existing command that uses toolcache_bin and UV_PATH
unchanged so logs accurately reflect the action.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 728e88e7-84f1-4f5b-b633-25635cfdb69a
📒 Files selected for processing (92)
.github/aw/actions-lock.json.github/workflows/agent-deep-dive.lock.yml.github/workflows/agent-efficiency.lock.yml.github/workflows/gh-aw-agent-suggestions.lock.yml.github/workflows/gh-aw-autonomy-atomicity-analyzer.lock.yml.github/workflows/gh-aw-branch-actions-detective.lock.yml.github/workflows/gh-aw-breaking-change-detect.lock.yml.github/workflows/gh-aw-breaking-change-detector.lock.yml.github/workflows/gh-aw-bug-hunter.lock.yml.github/workflows/gh-aw-code-complexity-detector.lock.yml.github/workflows/gh-aw-code-duplication-detector.lock.yml.github/workflows/gh-aw-code-quality-audit.lock.yml.github/workflows/gh-aw-create-pr-from-issue.lock.yml.github/workflows/gh-aw-deep-research.lock.yml.github/workflows/gh-aw-dependency-review.lock.yml.github/workflows/gh-aw-dependency-review.md.github/workflows/gh-aw-docs-drift.lock.yml.github/workflows/gh-aw-docs-patrol.lock.yml.github/workflows/gh-aw-estc-actions-resource-not-accessible-detector.lock.yml.github/workflows/gh-aw-estc-docs-patrol-external.lock.yml.github/workflows/gh-aw-estc-docs-pr-review.lock.yml.github/workflows/gh-aw-estc-docs-pr-review.md.github/workflows/gh-aw-estc-downstream-health.lock.yml.github/workflows/gh-aw-estc-newbie-contributor-patrol-external.lock.yml.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml.github/workflows/gh-aw-estc-pr-buildkite-detective.md.github/workflows/gh-aw-flaky-test-investigator.lock.yml.github/workflows/gh-aw-fragments/playwright-mcp-explorer.md.github/workflows/gh-aw-fragments/runtime-setup.md.github/workflows/gh-aw-fragments/safe-output-add-comment-pr-hide-older.md.github/workflows/gh-aw-fragments/safe-output-add-comment-pr.md.github/workflows/gh-aw-fragments/safe-output-push-to-pr.md.github/workflows/gh-aw-fragments/safe-output-reply-to-review-comment.md.github/workflows/gh-aw-fragments/safe-output-resolve-thread.md.github/workflows/gh-aw-fragments/safe-output-review-comment.md.github/workflows/gh-aw-fragments/safe-output-submit-review.md.github/workflows/gh-aw-fragments/safe-output-update-pr.md.github/workflows/gh-aw-framework-best-practices.lock.yml.github/workflows/gh-aw-information-architecture.lock.yml.github/workflows/gh-aw-internal-gemini-cli-web-search.lock.yml.github/workflows/gh-aw-internal-gemini-cli.lock.yml.github/workflows/gh-aw-issue-fixer.lock.yml.github/workflows/gh-aw-issue-triage.lock.yml.github/workflows/gh-aw-mention-in-issue-by-id.md.github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml.github/workflows/gh-aw-mention-in-issue.lock.yml.github/workflows/gh-aw-mention-in-pr-by-id.invalid.yml.github/workflows/gh-aw-mention-in-pr-by-id.lock.yml.github/workflows/gh-aw-mention-in-pr-by-id.md.github/workflows/gh-aw-mention-in-pr-no-sandbox.invalid.yml.github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml.github/workflows/gh-aw-mention-in-pr-no-sandbox.md.github/workflows/gh-aw-mention-in-pr.invalid.yml.github/workflows/gh-aw-mention-in-pr.lock.yml.github/workflows/gh-aw-mention-in-pr.md.github/workflows/gh-aw-newbie-contributor-patrol.lock.yml.github/workflows/gh-aw-performance-profiler.lock.yml.github/workflows/gh-aw-plan.lock.yml.github/workflows/gh-aw-pr-actions-detective.lock.yml.github/workflows/gh-aw-pr-actions-detective.md.github/workflows/gh-aw-pr-actions-fixer.lock.yml.github/workflows/gh-aw-pr-actions-fixer.md.github/workflows/gh-aw-pr-ci-detective.lock.yml.github/workflows/gh-aw-pr-conflict-addresser.lock.yml.github/workflows/gh-aw-pr-conflict-addresser.md.github/workflows/gh-aw-pr-labeler.lock.yml.github/workflows/gh-aw-pr-review-addresser.lock.yml.github/workflows/gh-aw-pr-review.lock.yml.github/workflows/gh-aw-product-manager-impersonator.lock.yml.github/workflows/gh-aw-project-summary.lock.yml.github/workflows/gh-aw-refactor-opportunist.lock.yml.github/workflows/gh-aw-release-update.lock.yml.github/workflows/gh-aw-scheduled-audit.lock.yml.github/workflows/gh-aw-scheduled-fix.lock.yml.github/workflows/gh-aw-small-problem-fixer.lock.yml.github/workflows/gh-aw-stale-issues-investigator.lock.yml.github/workflows/gh-aw-stale-issues-remediator.lock.yml.github/workflows/gh-aw-stale-issues.lock.yml.github/workflows/gh-aw-test-coverage-detector.lock.yml.github/workflows/gh-aw-text-auditor.lock.yml.github/workflows/gh-aw-update-pr-body.lock.yml.github/workflows/gh-aw-ux-design-patrol.lock.yml.github/workflows/internal-downstream-health.lock.yml.github/workflows/trigger-mention-in-issue-by-id.yml.github/workflows/trigger-mention-in-pr-by-id.yml.github/workflows/trigger-pr-conflict-addresser.yml.github/workflows/trigger-prompt-audit.yml.github/workflows/upgrade-check.lock.yml.github/workflows/workflow-patrol.lock.ymlgh-agent-workflows/mention-in-issue-by-id/README.mdgh-agent-workflows/mention-in-issue-by-id/example.ymlgh-agent-workflows/mention-in-pr-by-id/README.md
💤 Files with no reviewable changes (10)
- .github/workflows/trigger-mention-in-issue-by-id.yml
- gh-agent-workflows/mention-in-pr-by-id/README.md
- .github/workflows/gh-aw-pr-actions-detective.md
- gh-agent-workflows/mention-in-issue-by-id/example.yml
- .github/workflows/gh-aw-estc-pr-buildkite-detective.md
- .github/workflows/trigger-mention-in-pr-by-id.yml
- .github/workflows/gh-aw-mention-in-pr-by-id.md
- .github/workflows/gh-aw-mention-in-issue-by-id.md
- gh-agent-workflows/mention-in-issue-by-id/README.md
- .github/workflows/gh-aw-pr-actions-fixer.md
🚧 Files skipped from review as they are similar to previous changes (31)
- .github/workflows/gh-aw-small-problem-fixer.lock.yml
- .github/workflows/gh-aw-update-pr-body.lock.yml
- .github/workflows/gh-aw-pr-review.lock.yml
- .github/workflows/gh-aw-release-update.lock.yml
- .github/workflows/gh-aw-pr-labeler.lock.yml
- .github/workflows/gh-aw-ux-design-patrol.lock.yml
- .github/workflows/gh-aw-project-summary.lock.yml
- .github/workflows/gh-aw-stale-issues.lock.yml
- .github/workflows/gh-aw-information-architecture.lock.yml
- .github/workflows/agent-efficiency.lock.yml
- .github/workflows/gh-aw-branch-actions-detective.lock.yml
- .github/workflows/gh-aw-code-complexity-detector.lock.yml
- .github/workflows/gh-aw-framework-best-practices.lock.yml
- .github/workflows/gh-aw-dependency-review.lock.yml
- .github/workflows/gh-aw-autonomy-atomicity-analyzer.lock.yml
- .github/workflows/gh-aw-plan.lock.yml
- .github/workflows/gh-aw-create-pr-from-issue.lock.yml
- .github/workflows/gh-aw-code-quality-audit.lock.yml
- .github/workflows/gh-aw-estc-docs-patrol-external.lock.yml
- .github/workflows/gh-aw-text-auditor.lock.yml
- .github/workflows/gh-aw-refactor-opportunist.lock.yml
- .github/workflows/gh-aw-breaking-change-detector.lock.yml
- .github/workflows/gh-aw-estc-downstream-health.lock.yml
- .github/workflows/gh-aw-performance-profiler.lock.yml
- .github/workflows/gh-aw-stale-issues-remediator.lock.yml
- .github/workflows/gh-aw-bug-hunter.lock.yml
- .github/workflows/gh-aw-issue-fixer.lock.yml
- .github/workflows/gh-aw-pr-ci-detective.lock.yml
- .github/workflows/gh-aw-deep-research.lock.yml
- .github/workflows/gh-aw-pr-review-addresser.lock.yml
- .github/workflows/gh-aw-scheduled-fix.lock.yml
Comment on lines
+653
to
+660
| {"add_comment":{"max":1,"target":"triggering"},"missing_data":{},"missing_tool":{},"noop":{"max":1}} | ||
| GH_AW_SAFE_OUTPUTS_CONFIG_EOF | ||
| - name: Write Safe Outputs Tools | ||
| run: | | ||
| cat > /opt/gh-aw/safeoutputs/tools.json << 'GH_AW_SAFE_OUTPUTS_TOOLS_EOF' | ||
| [ | ||
| { | ||
| "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: ${{ inputs.target-pr-number || 'triggering' }}.", | ||
| "description": "Add a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission. CONSTRAINTS: Maximum 1 comment(s) can be added. Target: triggering.", |
There was a problem hiding this comment.
Don't default add_comment to triggering in a status/check-run workflow.
Lines 653-660 and Line 1464 switch add_comment to target:"triggering", but this workflow discovers the PR later from the failed commit/check context. The tool contract in this same file still says omitted item_number only auto-targets issue/pull_request/discussion/comment triggers, so the agent can now legitimately emit an add_comment that has no valid PR target.
Either keep explicit PR targeting here, or make the prompt require item_number after Step 1 resolves the PR. Based on learnings, .lock.yml files here are generated by gh aw compile; update the source workflow/fragment and recompile.
Also applies to: 1464-1464
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-estc-pr-buildkite-detective.lock.yml around lines
653 - 660, The workflow currently defaults the add_comment tool's target to
"triggering" in the safe outputs tools JSON (see add_comment and
safeoutputs/tools.json block), which is invalid for a status/check-run workflow
that discovers the PR later; instead either remove the default target and
require the agent to supply item_number after the PR is resolved, or set an
explicit PR/issue target at generation time by updating the source workflow
fragment that produces the GH_AW_SAFE_OUTPUTS_TOOLS_EOF entry so the compiled
.lock.yml contains a specific target (or validation that item_number is
mandatory) and then recompile with gh aw compile.
Comment on lines
+47
to
+50
| # AWF-friendly location: gh-aw scans /opt/hostedtoolcache/**/bin paths. | ||
| toolcache_bin="/opt/hostedtoolcache/gh-aw-tools/current/x64/bin" | ||
| sudo mkdir -p "$toolcache_bin" | ||
| sudo ln -sf "$UV_PATH" "$toolcache_bin/uv" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Search for evidence that gh-aw scans /opt/hostedtoolcache/**/bin paths automatically
rg -n 'hostedtoolcache.*bin' --type=md --type=yaml -C2Repository: elastic/ai-github-actions
Length of output: 51
🏁 Script executed:
#!/bin/bash
# Description: Check for ARM runner references or architecture-specific configurations
rg -n 'arm64|aarch64|runs-on.*arm' --type=yaml -C2Repository: elastic/ai-github-actions
Length of output: 51
🏁 Script executed:
cat -n .github/workflows/gh-aw-fragments/runtime-setup.mdRepository: elastic/ai-github-actions
Length of output: 4003
🏁 Script executed:
rg -n "gh-aw" --type=md --type=yamlRepository: elastic/ai-github-actions
Length of output: 30545
🏁 Script executed:
rg -n "PATH" .github/workflows/gh-aw-fragments/ --type=md -A2 -B2Repository: elastic/ai-github-actions
Length of output: 925
🏁 Script executed:
fd -e md -e yaml . .github/workflows/ | head -20Repository: elastic/ai-github-actions
Length of output: 1066
Either document the gh-aw PATH scanning mechanism or explicitly export UV to PATH.
Line 48 hardcodes x64 architecture, preventing ARM runner support. More critically, the comment claims gh-aw automatically scans /opt/hostedtoolcache/**/bin paths, but no evidence of this exists in the repository, and no explicit PATH export appears in the script. If the automatic scanning doesn't occur, UV won't be accessible to subsequent steps. Either verify and document the gh-aw scanning behavior, or add an explicit export PATH="$toolcache_bin:$PATH" line after creating the symlink.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-fragments/runtime-setup.md around lines 47 - 50, The
script currently hardcodes
toolcache_bin="/opt/hostedtoolcache/gh-aw-tools/current/x64/bin" and creates a
symlink to "$UV_PATH" but neither documents gh-aw's scanning behavior nor
ensures the new bin dir is on PATH; update the file to (1) remove the x64
hardcode by deriving the architecture (replace the literal "x64" usage around
toolcache_bin) so ARM runners are supported, and (2) after creating the symlink
to "$toolcache_bin/uv" export the new directory into PATH (export
PATH="$toolcache_bin:$PATH") or add a clear comment referencing gh-aw's scan
behavior if you prefer to rely on automatic discovery; reference toolcache_bin,
UV_PATH and the created symlink "uv" when making the change.
Comment on lines
+976
to
977
| "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox", "--snapshot-mode", "none"], | ||
| "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major
🧩 Analysis chain
🌐 Web query:
Does the Docker image mcr.microsoft.com/playwright/mcpcurrently support the CLI option--snapshot-mode none, and which tagged version first introduced it?
💡 Result:
Yes. The current Playwright MCP documentation lists --snapshot-mode <mode> with allowed values "incremental", "full", or "none" (so --snapshot-mode none is supported), and the Docker image mcr.microsoft.com/playwright/mcp runs that same cli.js entrypoint when started via docker run … mcr.microsoft.com/playwright/mcp …. [1]
The first tagged version that introduced support for disabling snapshots (none) was v0.0.51 (released Dec 8, 2025), which added snapshot mode configuration including "none". [2][3]
Pin the Playwright MCP image to v0.0.51 or later.
The --snapshot-mode none flag is CLI-version sensitive and was first introduced in v0.0.51 (Dec 8, 2025). Using an untagged or floating tag risks pulling an older image that does not support this option. Specify an explicit version tag to ensure consistent behavior.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-issue-triage.lock.yml around lines 976 - 977, The
workflow currently relies on an unpinned Playwright MCP image while using the
CLI-only flag "--snapshot-mode none" in "entrypointArgs", which is only
supported in v0.0.51+; update the job to pin the Playwright MCP image to v0.0.51
or later (replace the floating/untagged image reference with an explicit
:v0.0.51 or newer tag) so that the "--snapshot-mode none" option in
entrypointArgs will be supported and mounts (e.g., "mounts":
["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"]) continue to work consistently.
Comment on lines
+180
to
+185
| - name: Cross-repo setup guidance | ||
| if: failure() && steps.resolve-host-repo.outputs.target_repo != github.repository | ||
| run: | | ||
| echo "::error::COPILOT_GITHUB_TOKEN must be configured in the CALLER repository's secrets." | ||
| echo "::error::For cross-repo workflow_call, secrets must be set in the repository that triggers the workflow." | ||
| echo "::error::See: https://github.github.com/gh-aw/patterns/central-repo-ops/#cross-repo-setup" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
fd 'gh-aw-mention-in-pr.*' .github/workflows | while IFS= read -r f; do
echo "== $f =="
rg -n -C2 "Cross-repo setup guidance|resolve-host-repo|target_repo" "$f" || true
echo
doneRepository: elastic/ai-github-actions
Length of output: 998
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Check the .md source file (which is what gets edited)
echo "=== Source file: gh-aw-mention-in-pr.md ==="
cat -n .github/workflows/gh-aw-mention-in-pr.md | head -250
echo ""
echo "=== Searching for step definitions with id in .md ==="
rg -n "^\s*-\s*id:|^\s*- name:" .github/workflows/gh-aw-mention-in-pr.mdRepository: elastic/ai-github-actions
Length of output: 14593
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Searching fragments for 'Cross-repo setup guidance' ==="
rg -l "Cross-repo setup guidance" gh-aw-fragments/
echo ""
echo "=== Searching fragments for 'resolve-host-repo' ==="
rg -n "resolve-host-repo|id:.*host" gh-aw-fragments/ || echo "No matches found"
echo ""
echo "=== List all .md fragments ==="
ls -1 gh-aw-fragments/*.mdRepository: elastic/ai-github-actions
Length of output: 202
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Finding fragments directory ==="
find . -type d -name "gh-aw-fragments" 2>/dev/null
echo ""
echo "=== Searching for 'Cross-repo setup guidance' across entire repo ==="
rg -l "Cross-repo setup guidance" . 2>/dev/null || echo "Not found in main search"
echo ""
echo "=== Searching for 'resolve-host-repo' across entire repo ==="
rg -n "resolve-host-repo" . 2>/dev/null || echo "Not found"Repository: elastic/ai-github-actions
Length of output: 307
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Full context of Cross-repo setup guidance step in .lock.yml ==="
sed -n '175,195p' .github/workflows/gh-aw-mention-in-pr.lock.yml
echo ""
echo "=== Search for 'resolve' in .lock.yml to find any step that might produce this output ==="
rg -n -i "id.*resolve|resolve.*:" .github/workflows/gh-aw-mention-in-pr.lock.yml || echo "No resolve steps found"
echo ""
echo "=== Check the corresponding .md source for this section ==="
echo "Looking at source .md around line 117 onwards..."
tail -n +117 .github/workflows/gh-aw-mention-in-pr.md | head -100Repository: elastic/ai-github-actions
Length of output: 31870
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Searching fragments for 'Cross-repo setup guidance' ==="
rg -n "Cross-repo setup guidance" ./.github/workflows/gh-aw-fragments/
echo ""
echo "=== Searching fragments for 'resolve-host-repo' (any occurrence) ==="
rg -n "resolve-host-repo" ./.github/workflows/gh-aw-fragments/
echo ""
echo "=== List fragment files ==="
ls -1 ./.github/workflows/gh-aw-fragments/Repository: elastic/ai-github-actions
Length of output: 128
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Complete search for resolve-host-repo in ALL files ==="
rg -n "resolve-host-repo" . 2>/dev/null || echo "Found: 0 matches"
echo ""
echo "=== Check if Cross-repo setup guidance exists in any .md ==="
rg -n "Cross-repo setup" . 2>/dev/null || echo "Found: 0 matches"
echo ""
echo "=== Check git log for when this was added to .lock.yml ==="
git log --oneline -p -- .github/workflows/gh-aw-mention-in-pr.lock.yml | grep -A5 -B5 "Cross-repo setup guidance" | head -30 || echo "Not found in recent history"
echo ""
echo "=== Check the .md source file size to confirm we have it all ==="
wc -l ./.github/workflows/gh-aw-mention-in-pr.mdRepository: elastic/ai-github-actions
Length of output: 1216
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Check if the no-sandbox variant also has the same issue ==="
sed -n '170,190p' .github/workflows/gh-aw-mention-in-pr-no-sandbox.lock.yml
echo ""
echo "=== Search for 'validate-secret' step to understand the context ==="
rg -n "validate.*secret|Validate.*COPILOT" ./.github/workflows/gh-aw-mention-in-pr.md
echo ""
echo "=== Check all fragments imported ==="
grep "^ - " ./.github/workflows/gh-aw-mention-in-pr.md | head -25Repository: elastic/ai-github-actions
Length of output: 1384
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== List all fragments ==="
ls -la ./.github/workflows/gh-aw-fragments/
echo ""
echo "=== Search all fragments for validate or COPILOT ==="
rg -l "validate-secret|Validate COPILOT|Cross-repo" ./.github/workflows/gh-aw-fragments/
echo ""
echo "=== Search fragments for any step with 'if: failure' ==="
rg -n "if:.*failure" ./.github/workflows/gh-aw-fragments/Repository: elastic/ai-github-actions
Length of output: 2809
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Search all .md files for 'validate-secret' ==="
rg -n "validate-secret|Validate COPILOT" ./.github/workflows/ --type md
echo ""
echo "=== Check the git history: was this step added manually to .lock.yml? ==="
git log --oneline --all -- .github/workflows/gh-aw-mention-in-pr.lock.yml | head -10
echo ""
echo "=== Check if there's a source .md that was modified recently ==="
git log --oneline --all -- .github/workflows/gh-aw-mention-in-pr.md | head -10
echo ""
echo "=== Check if the step exists in any other workflow ==="
rg -l "validate-secret|Cross-repo setup guidance" ./.github/workflows/ | grep -v ".lock.yml"Repository: elastic/ai-github-actions
Length of output: 119
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Get the actual PR diff to see what changed ==="
git diff HEAD~1..HEAD -- .github/workflows/gh-aw-mention-in-pr.lock.yml | head -100
echo ""
echo "=== Search for any file mentioning 'resolve-host-repo' in entire repo history ==="
git log -p --all -- .github/workflows/ | grep -C3 "resolve-host-repo" | head -50 || echo "Not found in history"
echo ""
echo "=== Check if maybe the step ID should be 'validate-secret' instead ==="
rg -n "validate-secret" .github/workflows/gh-aw-mention-in-pr.lock.ymlRepository: elastic/ai-github-actions
Length of output: 173
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Check if the 'Validate COPILOT_GITHUB_TOKEN secret' step exists in source .md ==="
rg -n "Validate COPILOT_GITHUB_TOKEN|validate_multi_secret" ./.github/workflows/gh-aw-mention-in-pr.md
echo ""
echo "=== List all steps in the .lock.yml file ==="
rg -n "^\s+- name:" .github/workflows/gh-aw-mention-in-pr.lock.yml | head -30
echo ""
echo "=== Verify the condition for Cross-repo guidance step references non-existent step ==="
rg -A2 "Cross-repo setup guidance" .github/workflows/gh-aw-mention-in-pr.lock.ymlRepository: elastic/ai-github-actions
Length of output: 154
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Full content of the .md source file ==="
cat ./.github/workflows/gh-aw-mention-in-pr.md
echo ""
echo "=== Now check: are there any 'steps:' defined after the imports? ==="
sed -n '100,220p' ./.github/workflows/gh-aw-mention-in-pr.md | grep -A50 "^steps:"Repository: elastic/ai-github-actions
Length of output: 15442
Remove the Cross-repo setup guidance step from the source workflow or add the missing resolve-host-repo step.
The condition if: failure() && steps.resolve-host-repo.outputs.target_repo != github.repository references a step ID resolve-host-repo that does not exist anywhere in the workflow. The step will never execute as written.
Since .lock.yml files are auto-generated from the corresponding .md source, edit .github/workflows/gh-aw-mention-in-pr.md to either:
- Remove the "Cross-repo setup guidance" step entirely, or
- Add the missing
resolve-host-repostep that producestarget_repooutput
Then recompile with gh aw compile.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/gh-aw-mention-in-pr.lock.yml around lines 180 - 185, The
workflow references a non-existent step ID resolve-host-repo in the "Cross-repo
setup guidance" step, so either remove that entire "Cross-repo setup guidance"
step from the source .md or add a step that sets outputs.target_repo with the ID
resolve-host-repo; after updating the source, recompile with gh aw compile.
Ensure the added step uses the ID resolve-host-repo and exposes
outputs.target_repo (or drop the step and its conditional if cross-repo guidance
is not needed) so the condition if: failure() &&
steps.resolve-host-repo.outputs.target_repo != github.repository can evaluate
correctly.
Override push-to-pull-request-branch target with the explicit inputs.target-pr-number since the fragment default of 'triggering' won't resolve on workflow_dispatch runs. Made-with: Cursor
| persist-credentials: false | ||
| - name: Setup Scripts | ||
| uses: strawgate/gh-aw/actions/setup@da413c61d4c63eb528f47f2bba95f020555d48e5 # v0.58.3 | ||
| uses: ./actions/setup |
Contributor
There was a problem hiding this comment.
This generated lockfile appears out of sync with the source workflow compiler output.
On this branch, running make compile rewrites this file by removing the added Checkout actions folder blocks and changing uses: ./actions/setup back to the pinned remote action. That means the checked-in lockfile is not reproducible and can cause compile/consistency checks to fail.
Please regenerate and commit the compiled lock output so this file matches canonical gh aw compile output.
Contributor
There was a problem hiding this comment.
One blocking issue remains: .github/workflows/gh-aw-mention-in-pr-no-sandbox.md now hard-codes PR identity to github.event.issue.* (see changed lines 29, 78, 124, 144). This workflow is used for pull_request_review_comment triggers where github.event.issue is unavailable, so concurrency keys can collapse across PRs and the prompt’s PR guardrail can be blank. Please use github.event.pull_request.* with an issue.* fallback for these fields.
What is this? | From workflow: Trigger PR Review
Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.
…mpts The mention-in-pr workflows can be triggered by pull_request_review_comment events where github.event.issue is unavailable. Add github.event.pull_request.number || fallback to concurrency groups and prompt references so they resolve correctly for both trigger types. Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--snapshot-mode none, switch frombrowser_console_executetobrowser_run_code, and add guidance on batching actions, keeping return payloads small, and using snapshot-to-disk + grep discovery under/tmp/gh-aw/mcp-logs/.uvdiscovery: updategh-aw-fragments/runtime-setup.mdto exposeuvvia/opt/hostedtoolcache/gh-aw-tools/current/x64/bin(symlink) so AWF can detect it consistently. This propagates to generated lock workflows.gh-aw-mention-in-issue-by-idandgh-aw-mention-in-pr-by-idworkflow definitions, triggers, and example docs; addgh-aw-pr-conflict-addresserplustrigger-pr-conflict-addresserfor dispatch-driven conflict resolution on open PRs.github.event.pull_request.number || github.event.issue.numberfor concurrency and prompt context, removetarget-pr-numberinputs where no longer needed, and normalize reusable safe-output fragment targets totarget: "triggering"to reduce generated expression complexity so workflow compilation remains within GitHub limits (make compilesucceeds).Test plan
make compilepasses with 0 errors, 2 warnings (pre-existingsafe-inputswarnings)The body of this PR is automatically managed by the workflow runtime.
The body of this PR is automatically managed by the Trigger Update PR Body workflow.