Safe Output Health Report - 2026-03-23

[github-actions[bot]]

Executive Summary

• Period: Last 24 hours (2026-03-23 UTC)
• Runs Analyzed: 98
• Workflows with Safe Output Activity: 7
• Safe Output Items Processed: 30
• Safe Output Job Failures: 1 (Duplicate Code Detector — Copilot assignment error)
• Error Clusters Identified: 2 (1 new, 1 recurring)

Overall, core safe output operations (issue/comment/PR creation) performed flawlessly. The one workflow failure was caused by a post-processing Copilot assignment step failing with Bad credentials — not by the issue creation itself. A recurring PR review line resolution warning (EP021) was handled gracefully via fallback.

---

Safe Output Item Statistics

Job Type	Executions	Failures	Notes
add_comment	9	0	✅ All succeeded
create_pull_request_review_comment	4	0	✅ All succeeded
create_issue	3	0	✅ All succeeded (Copilot assignment is post-step)
submit_pull_request_review	2	0	⚠️ 1 line-resolution warning, recovered via fallback
add_labels	2	0	✅ All succeeded
push_to_pull_request_branch	1	0	✅ Succeeded
create_discussion	1	0	✅ Succeeded
add_reviewer	1	0	✅ Succeeded
update_pull_request	1	0	✅ Succeeded
dispatch_workflow	1	0	✅ Succeeded
Other (set_issue_type, slack, etc.)	5	0	✅ All succeeded
Total	30	0	100% safe item creation success

Note: The overall Duplicate Code Detector run failed due to a post-creation Copilot assignment error, not due to any safe output item creation failure.

---

Error Clusters

🆕 EP023 — Copilot Agent Assignment Bad Credentials (NEW)

• Count: 2 occurrences across 2 runs
• Affected Workflows: Duplicate Code Detector, Issue Monster
• Severity: High for Duplicate Code Detector (workflow conclusion = failure), Low for Issue Monster (warning only, run succeeded)

Error messages:

##[error]Failed to find copilot agent: Bad credentials
##[error]Failed to assign copilot to issue #22370 in github/gh-aw: Bad credentials
##[error]ERR_API: Failed to assign copilot to 1 issue(s)

Root Cause: After successfully creating an issue via the create_issue safe output handler, the job attempts to assign Copilot as an assignee (configured via GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: {"create_issue": {"assignees": ["copilot"]}}). The GitHub API call to find/assign the Copilot agent fails with Bad credentials, indicating the GITHUB_TOKEN in these workflows lacks the necessary scope for Copilot agent assignment.

Affected runs:

• §23420898530 — Duplicate Code Detector — conclusion: failure (1 issue affected: Duplicate Code: Expired Entity Cleanup Handlers Repeated Across Issue/PR/Discussion Scripts #22370)
• §23420826663 — Issue Monster — conclusion: success (3 issues affected: [safeoutputs] Improve update_issue tool description: clarify issue_number is only effective with target='*' #22282, [performance] Regression in CompileMemoryUsage: +103.7% slower #22277, 🔍 Multi-Device Docs Testing Report - 2026-03-23 #22363; captured as warning)

Configuration Context

The Duplicate Code Detector has this safe outputs config:

{
  "create_issue": {"assignees": ["copilot"], "max": 1},
  "missing_data": {},
  "missing_tool": {},
  "noop": {"max": 1, "report-as-issue": "true"}
}
```

The GITHUB_TOKEN permissions for safe_outputs job in Duplicate Code Detector:
- `Contents: read`
- `Issues: write`
- `Metadata: read`

The Copilot agent lookup requires additional API permissions not present in the standard `Issues: write` token.

</details>

---

#### ↩️ EP021 — PR Review Line Resolution Failure (RECURRING)

- **Count**: 1 occurrence (Smoke Claude)
- **Severity**: Warning only — gracefully recovered
- **Run**: [§23420748984](https://github.com/github/gh-aw/actions/runs/23420748984)

```
##[warning]PR review submission failed due to unresolvable comment line(s): 
Unprocessable Entity: "Line could not be resolved". Retrying as body-only review.

Root Cause: The agent generated review comments referencing specific diff lines that were no longer resolvable by the time submission occurred (e.g., PR was updated or diff shifted). The handler correctly retried as a body-only review and succeeded.

Impact: Minimal — review was posted successfully as a body comment. No data loss. Recurring but self-healing.

---

Root Cause Analysis

Copilot Assignment Authentication (EP023)

The assign_copilot step in the safe_outputs job uses the default GITHUB_TOKEN to call the GitHub API for finding and assigning Copilot coding agents. The Issues: write permission alone is insufficient — Copilot agent assignment appears to require either:

• A higher-privileged app token, or
• A specific Copilot API permission not included in standard GITHUB_TOKEN scopes

This explains why the create_issue step (which only needs Issues: write) succeeds, while the subsequent assignment step fails.

Behavioral difference between runs: Issue Monster captures assignment errors as warnings (not hard failures), while Duplicate Code Detector propagates them as errors that cause a conclusion=failure. This suggests different error handling configurations between the two workflows' conclusion jobs.

PR Review Line Resolution (EP021)

GitHub's pull request review API rejects comments on lines that cannot be located in the current diff. This happens when:

1. The PR was force-pushed between agent execution and review submission
2. The agent referenced unstable line numbers in the diff

The fallback to body-only review is working correctly as a recovery mechanism.

---

Recommendations

Critical Issues

1. EP023: Copilot Assignment Credentials
   • Priority: High
   • Root Cause: GITHUB_TOKEN lacks Copilot assignment permissions
   • Recommended Action: Either (a) configure workflows using Copilot assignees with a custom GitHub App token that has the required Copilot API permission, or (b) update the assignment step to gracefully degrade when Copilot assignment fails rather than erroring the workflow
   • Affected Workflows: Duplicate Code Detector, Issue Monster (and any workflow with assignees: ["copilot"] config)

Bug Fixes Required

1. Copilot Assignment Error Handling Inconsistency
   • File/Location: Conclusion job error handling logic
   • Problem: Issue Monster treats Copilot assignment failure as a warning (run succeeds), while Duplicate Code Detector treats it as a hard error (run fails). This inconsistency should be investigated — if Copilot assignment failure is expected to be non-fatal, both workflows should handle it consistently.
   • Fix: Standardize error handling so Copilot assignment failure is treated as a warning (non-fatal) across all workflows, since the core operation (issue creation) succeeded.

Process Improvements

1. Copilot Assignment Retry Logic

   • Current State: Assignment is attempted once; failure immediately propagates as error
   • Proposed: Add retry with exponential backoff (similar to Issue Monster's 10s wait between retries) and classify as non-fatal if core safe output (issue creation) succeeded
   • Benefits: Reduces false-positive workflow failures from transient auth issues

2. EP021 Permanent Fix

   • Current State: PR review line failures trigger warning + body-only fallback
   • Proposed: Consider using the PR diff API to validate line references before submission
   • Benefits: Cleaner reviews with inline comments rather than body-only fallbacks

---

Work Item Plans

Work Item 1: Fix Copilot Assignment Credential Failure (EP023)

• Type: Bug Fix / Configuration
• Priority: High
• Description: The assign_copilot post-processing step in the safe_outputs job fails with Bad credentials when using the default GITHUB_TOKEN. This causes hard failures in Duplicate Code Detector and warnings in Issue Monster.
• Acceptance Criteria:
  • Copilot assignment succeeds in Duplicate Code Detector runs
  • Copilot assignment failure does not cause workflow conclusion=failure when the core safe output operation (create_issue) succeeded
  • Consistent error handling between Issue Monster and Duplicate Code Detector for assignment failures
• Technical Approach: Configure a custom app token with Copilot API permissions for workflows using Copilot assignment, or make the assignment step non-fatal
• Estimated Effort: Small-Medium
• Dependencies: Identifying correct GitHub App permission scope for Copilot agent assignment

Work Item 2: Resolve EP021 PR Review Line Resolution

• Type: Enhancement
• Priority: Low
• Description: Review comment submissions occasionally fail due to unresolvable diff lines. Currently handled via body-only fallback which works but degrades review quality.
• Acceptance Criteria:
  • PR review comments reference stable/resolvable diff lines
  • Reduction in EP021 warning occurrences
• Technical Approach: Use GitHub diff API to validate line positions before submission, or implement diff-position calculation based on current PR state
• Estimated Effort: Medium
• Dependencies: GitHub PR review API documentation, diff position calculation logic

---

Historical Context

Recent trend (last 7 days)

Date	Runs	Safe Output Failures	Success Rate	Key Issues
2026-03-17	—	—	—	EP017 (App token 404)
2026-03-18	176	1	83.3%	EP018 (protected path PR)
2026-03-19	120	0	100%	EP021 warning (line resolution)
2026-03-20	98	4	90.2%	EP006, EP015, EP016, EP021
2026-03-21	79	2	97.3%	EP016, EP006
2026-03-22	110	2	93.8%	EP006, EP022 (branch not found)
2026-03-23	98	1	85.7%	EP023 NEW (Copilot auth), EP021

Trends

• Core safe output operations (issue/comment/PR creation): 100% success rate today — consistent with recent trend
• Post-processing steps (Copilot assignment): new failure mode identified (EP023)
• EP006 (add_comment context mismatch): not observed today — possible improvement or no triggering runs
• EP021 (PR review line resolution): continues as low-severity recurring warning, self-healing

---

Next Steps

• Investigate Copilot API permission requirements for agent assignment (EP023)
• Standardize Copilot assignment error handling between Duplicate Code Detector and Issue Monster
• Monitor EP023 tomorrow to determine if this is a persistent auth issue or transient
• Consider making Copilot assignment step non-fatal when core safe output operations succeed

References:

• §23420898530 — Duplicate Code Detector (failure)
• §23420826663 — Issue Monster (copilot assignment warning)
• §23420748984 — Smoke Claude (EP021 warning)

AI generated by Safe Output Health Monitor · history

• expires on Mar 24, 2026, 4:35 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Safe Output Health Monitor.

A newer discussion is available at Discussion #22549.