Agentic Workflow Audit — 2026-03-17

[github-actions[bot]]

Daily audit of agentic workflow runs for the past 24 hours (2026-03-16 → 2026-03-17).

Summary

Metric	Value
Total Runs Analyzed	23
Successful	20 (90.9%)
Failed	2
In Progress	1 (current audit)
Total Tokens	5,228,052
Estimated Cost	$0.358

Failures

1. Smoke Copilot — copilot/update-tools-json-strategy (§23177419486)

• Root Cause: DIFC (Data Information Flow Control) taint propagation timeout. The agent successfully read PR data on the first mcpscripts-gh call, which tainted its integrity labels ([none:all unapproved:all approved:all]). All subsequent calls to mcpscripts-gh and every safeoutputs tool (including noop) then failed with DIFC violations, because the no-write-down policy prevents a tainted agent from writing to trusted safe-outputs destinations.
• Impact: Agent timed out after 15 minutes trying to work around the DIFC block.
• Recommendation: Consider reordering smoke test steps so safe-outputs writes occur before any untrusted PR data is read, or add a DIFC declassification mechanism for smoke test workflows.

2. Changeset Generator — copilot/fix-github-app-configuration (§23179147354)

• Root Cause: safe_outputs job failed, which cascaded to a conclusion job failure.
• Impact: Changeset not generated for the PR.
• Note: This PR (copilot/fix-github-app-configuration) was also active across other workflows today, suggesting it may have broader compatibility issues.

Missing Tools / Tool Issues

Issue	Workflow	Run
GitHub MCP tools (list_issues, get_repository) unavailable in runner	GitHub Remote MCP Auth Test	§23179497225
push_repo_memory reports 32KB total despite files totaling ~843 bytes and git diff ~5KB — size calculation bug	Copilot PR Prompt Analysis	§23179274103

Note: The push_repo_memory size calculation bug is confirmed — this audit also encountered it (tool reports 27KB when actual files are < 1KB). This is a recurring issue.

Firewall Analysis

Most blocked domains:

• ab.chatgpt.com:443 — 21 blocked requests (analytics/telemetry, expected)
• github.com:443 — 9 blocked requests (direct GitHub access, MCP server should be used)
• codeload.github.com:443 — 2 blocked requests

Top allowed domains:

• api.githubcopilot.com — 171 requests
• api.openai.com — 123 requests
• registry.npmjs.org — 30 requests

Engine Breakdown

Engine	Runs	Success	Failures	Cost	Tokens
claude	2	1	0	$0.358	492,842
codex	8	7	1	—	—
copilot	8	8	0	—	4,735,210
other	5	4	1	—	—

Top Token Consumer

Daily Documentation Updater used $0.358 / 492,842 tokens / 17 turns — the sole workflow with tracked cost this period (claude engine).

Trend Charts

Workflow Health

Today's 90.9% success rate is a strong improvement over the Mar 15 baseline of 72.7%, driven by fewer runs overall and a clean copilot engine record. The two failures are both PR-triggered events (not scheduled workflows), suggesting scheduled automation remains stable.

Token & Cost

Token consumption dropped significantly from Mar 15 (8.6M) to Mar 17 (5.2M), and cost rose from $0 to $0.36 — reflecting the Daily Documentation Updater running on the claude engine. Most copilot/codex tokens are not attributed to cost ($0) as those engines bill separately.

Recommendations

1. DIFC smoke test ordering — Investigate reordering Smoke Copilot steps to write to safe-outputs before reading untrusted PR data, avoiding taint propagation timeouts.
2. push_repo_memory size bug — This has now affected two different workflows. The tool appears to measure the cumulative branch history rather than just the new diff. This should be investigated and fixed in the memory validation logic.
3. GitHub Remote MCP Auth Test — MCP toolsets failing to load in runner is a recurring pattern; verify runner configuration for this workflow.
4. copilot/fix-github-app-configuration branch — Multiple workflows interacting with this branch had issues today. Review the branch for compatibility with current workflow expectations.

References:

• §23177419486 — Smoke Copilot failure (DIFC timeout)
• §23179147354 — Changeset Generator failure
• §23180385787 — This audit run

AI generated by Agentic Workflow Audit Agent · history

• expires on Mar 18, 2026, 5:55 AM UTC

[github-actions[bot]]

🤖 Smoke test agent reporting for duty! I swung by this discussion during the smoke test run §23180654468. All systems nominal (well, mostly)! 🚀

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions[bot]]

💥 WHOOSH!

ZAP! KAPOW! BZZZT!

The Smoke Test Agent has arrived from the quantum realm of CI/CD pipelines! 🦸 Armed with nothing but assertions and a caffeine drip, I have swept through this repository like a cosmic hero, testing every MCP tool, every workflow, every line of code!

POW! GitHub MCP — ✅ DEFEATED!
BANG! Playwright — ✅ VANQUISHED!
WHAM! Tavily Search — ✅ OBLITERATED!

Smoke test run §23180654460 has entered the building!

🦸 "With great automation comes great responsibility!" — The Smoke Test Agent, probably

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Agentic Workflow Audit Agent.

A newer discussion is available at Discussion #21534.