fix: make smoke-claude safe outputs trigger-aware for workflow_dispatch

[lpcox]

Problem

The smoke-claude workflow fails on workflow_dispatch (manual) and schedule triggers because the prompt unconditionally tells the agent to add comments and labels to "the pull request."

• add_comment gracefully skips when there's no PR context
• add_labels hard-fails with: No issue/PR number available

This causes the safe_outputs job to fail, marking the entire run as failed even though the agent job succeeded.

Failed run: https://github.com/github/gh-aw-firewall/actions/runs/24535395752

Fix

Updated the prompt to be trigger-aware:

• PR triggers: add comment + label as before
• Non-PR triggers (workflow_dispatch, schedule): use noop to report results instead of attempting add_comment/add_labels

Also recompiled the lock file and ran post-processing.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	84.33%	84.41%	📈 +0.08%
Statements	83.56%	83.64%	📈 +0.08%
Functions	87.39%	87.39%	➡️ +0.00%
Branches	74.78%	74.82%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.8% → 87.1% (+0.30%)	86.4% → 86.7% (+0.29%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

Test	Status
GitHub MCP (last 2 PRs: "chore: recompile workflows for gh-aw v0.68.5", "chore: upgrade gh-aw to v0.68.4 and recompile workflows")	✅
Playwright (github.com title contains "GitHub")	✅
File write (smoke-test-claude-24535683334.txt)	✅
Bash verification (cat file)	✅

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

✅ Smoke Test PASSED

Test Results:

• ✅ GitHub MCP: Retrieved PR feat: add AWF JSON/YAML config ingestion with schema validation and CLI precedence #2018 ("feat: add AWF JSON/YAML config ingestion...")
• ✅ GitHub.com: HTTP 200
• ✅ File I/O: /tmp/gh-aw/agent/smoke-test-copilot-24535683253.txt verified

Status: PASS
Author: @lpcox

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) — PASS ✅

Test	Result
GitHub MCP (list merged PRs)	✅ #2018: feat: add AWF JSON/YAML config ingestion
GitHub.com connectivity	✅ (gh CLI authenticated)
File write/read (smoke-test-copilot-byok-24535683298.txt)	✅
BYOK inference (agent responding)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

cc @lpcox

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All checks passed:

Check	Result
Redis PING at host.docker.internal:6379	✅ PONG
PostgreSQL pg_isready at host.docker.internal:5432	✅ accepting connections
PostgreSQL SELECT 1 on smoketest db as postgres	✅ returned 1

Note: redis-cli was not available; Redis was tested via nc (raw Redis protocol), which returned +PONG.

🔌 Service connectivity validated by Smoke Services

[Copilot]

Pull request overview

Updates the “Smoke Claude” agentic workflow to avoid failing safe-outputs processing on non-PR triggers (manual/scheduled runs) by making the reporting instructions trigger-aware, then recompiles the generated lock workflow and updates the pinned setup action reference.

Changes:

• Adjusts the smoke-claude prompt to differentiate PR vs non-PR (workflow_dispatch/schedule) reporting behavior.
• Recompiles .github/workflows/smoke-claude.lock.yml with newer gh-aw tooling (v0.68.4) and associated generated updates.
• Updates .github/aw/actions-lock.json to pin github/gh-aw-actions/setup to v0.68.4.

Show a summary per file

File	Description
.github/workflows/smoke-claude.md	Makes output instructions trigger-aware, introducing a non-PR reporting path via noop safe output.
.github/workflows/smoke-claude.lock.yml	Regenerates the compiled workflow with updated gh-aw versions and generated steps/config.
.github/aw/actions-lock.json	Updates the pinned github/gh-aw-actions/setup action version/SHA used by compilation.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 2

[Copilot]

The new non-PR trigger path relies on the agent producing a safe-output entry, but the instruction says "use a noop safe output" without explicitly naming the tool (noop) or making it unambiguous that it must be invoked as a safe-output tool call. Consider wording this as an explicit requirement to call the noop safe-output tool with the short test summary, so workflow_dispatch/schedule runs don't fail the "Validate safe outputs were invoked" post-step due to the agent only printing text.

Suggested change

	**If triggered by workflow_dispatch or schedule** (no PR context), use a noop safe output to report the test results summary instead. Do NOT attempt to add comments or labels when there is no pull request.
	**If triggered by workflow_dispatch or schedule** (no PR context), you must call the `noop` safe-output tool with a very brief test results summary. Do NOT only print the summary as plain text. Do NOT attempt to add comments or labels when there is no pull request.

[Copilot]

The workflow no longer uploads a dedicated firewall-audit-logs artifact (firewall logs/audit are now bundled into the agent artifact). Many other workflows in this repo still publish firewall-audit-logs, so removing it here can break any tooling that expects that artifact name and makes logs harder to consume independently. Consider restoring the separate firewall-audit-logs upload step (or uploading both) for consistency/backward-compatibility.

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	all passed	✅ PASS
Go	env	✅	all passed	✅ PASS
Go	uuid	✅	all passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2036 · ● 1.1M · ◷

[github-actions]

Smoke test report:

• feat: add AWF JSON/YAML config ingestion with schema validation and CLI precedence
• fix: add explicit model for Copilot BYOK smoke test
• GitHub MCP ✅ | safeinputs-gh CLI ❌ | Playwright ✅ | Tavily ❌
• File write ✅ | Bash cat ✅ | Discussion interaction ❌ | Build (npm ci && npm run build) ✅
• Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex