push-to-pull-request-branch safe-output fails with "Cannot generate incremental patch: failed to fetch" due to shallow base_ref checkout in safe_outputs job #21542
Description
Summary
The push_to_pull_request_branch safe-output handler fails with:
push_to_pull_request_branch
└ {"result":"error","error":"Cannot generate incremental patch: failed to fetch..."}
This appears to be caused by the compiled safe_outputs job checking out github.base_ref with fetch-depth: 1, while the handler script (safe_output_handler_manager.cjs) needs to fetch the PR head branch ref to compute the incremental patch. The shallow clone of the base branch lacks the remote tracking refs needed to resolve the head branch.
Related: #21436
Environment
- gh-aw version: v0.58.3 (compiled lock file)
- Latest tested release: v0.61.0 — reviewed release notes from v0.58.2 through v0.61.0; no fix targets this specific failure
- Trigger:
pull_request(opened, synchronize, reopened) - Runner: GitHub-hosted (ubuntu)
Workflow Configuration (source)
safe-outputs:
push-to-pull-request-branch:
max: 1
if-no-changes: ignore
checkout:
ref: ${{ github.head_ref }}
fetch-depth: 1Root Cause Analysis (from compiled lock.yml)
The compiled workflow has two relevant jobs:
1. Agent job (works correctly)
- Checks out
github.head_refwithfetch-depth: 1(line ~291-295) - Configures git credentials with
github.token(line ~298-309) - Agent makes changes, commits locally, calls
push_to_pull_request_branchMCP tool - The MCP tool records the intent as a safe-output item (does NOT push directly)
2. safe_outputs job (where the failure occurs)
-
Downloads the agent's output artifact
-
Checks out
github.base_ref(notgithub.head_ref) withfetch-depth: 1(line ~1161-1166):ref: ${{ github.base_ref || github.event.pull_request.base.ref || github.ref_name || github.event.repository.default_branch }}
-
Configures git credentials via
remote set-urlwith the token (line ~1167-1180) -
Runs
safe_output_handler_manager.cjswhich attempts to generate the incremental patch
The problem: The handler needs to resolve origin/<head-branch> to compute the incremental diff between what the agent produced and the current state of the PR branch. But the checkout is a shallow clone (fetch-depth: 1) of the base branch (e.g., master). The head branch ref doesn't exist in this shallow clone, so the fetch fails.
Why this isn't fixed in v0.58.3–v0.61.0
Reviewed all safe-outputs-related fixes in this range:
| Version | Fix | Relevant? |
|---|---|---|
| v0.58.2 | safe-outputs items capture fix | No |
| v0.59.0 | safe-outputs tools loaded at runtime | No |
| v0.60.0 | checkout: false git credentials fix |
No (different path) |
| v0.61.0 | staged mode fix for all handlers (#21414) | No (different bug) |
None address the safe_outputs job checking out the wrong ref or the shallow clone depth being insufficient for the handler to fetch the head branch.
Suggested Fix
The safe_outputs job should either:
- Check out
github.head_refinstead ofgithub.base_ref(since the patch is applied to the PR branch), OR - Use
fetch-depth: 0(or at least enough depth) so the handler can resolve both base and head refs, OR - The handler script should explicitly
git fetch origin <head-ref>before attempting to compute the incremental patch (it may already try this, but the fetch appears to fail silently or with the reported error)
Steps to Reproduce
- Create an agentic workflow (
.md) triggered onpull_requestwithpush-to-pull-request-branchsafe-output - Compile with
gh aw compile(v0.58.3) - Open a PR that triggers the workflow
- Agent makes changes and calls
push_to_pull_request_branch - The
safe_outputsjob fails withCannot generate incremental patch: failed to fetch...