[safeoutputs] Improve update_issue tool description: clarify issue_number is only effective with target='*' #22282
Description
Summary
Analysis of the last 24 hours of workflow runs (139 runs analyzed) identified 1 error where an agent incorrectly used the update_issue safe output tool. The workflow prompt appears correct — the agent provided issue_number as documented — but the tool description does not make it clear that issue_number is silently ignored when the workflow is not configured with target: '*'.
Error Analysis Details
Error Pattern: issue_number ignored when target='triggering'
Occurrences: 1 time (workflow: Workflow Health Manager - Meta-Orchestrator)
What the agent did:
{
"type": "update_issue",
"issue_number": "22108",
"operation": "replace",
"title": "Workflow Health Dashboard — 2026-03-22 | Score: 69/100 ↓5",
"body": "..."
}
```
**What happened:**
The MCP tool call returned `{"result":"success"}` — the agent believed it succeeded. But in the `safe_outputs` job, the call failed:
```
##[warning]Target is "triggering" but not running in issue context, skipping update_issue
##[error]✗ Message 2 (update_issue) failed: Target is "triggering" but not running in issue
context, skipping update_issue
##[error]1 safe output(s) failed:
- update_issue: Target is "triggering" but not running in issue contextWhy this happened:
The workflow (workflow-health-manager.md) runs on a schedule event and is configured with:
safe-outputs:
update-issue:
max: 5
# no `target` specified → defaults to `triggering`With target: triggering (the default), the handler ignores issue_number and instead tries to use the workflow trigger context. Since this was a scheduled run (no triggering issue), the call failed.
The agent provided issue_number: "22108" based on the tool description's guidance, reasonably expecting this would specify which issue to update. The tool description does not warn that issue_number has no effect outside of target: '*' mode.
Current Tool Description
Current issue_number field in safe_outputs_tools.json
{
"issue_number": {
"type": ["number", "string"],
"description": "Issue number to update. This is the numeric ID from the GitHub URL (e.g., 789 in github.com/owner/repo/issues/789). Required when the workflow target is '*' (any issue)."
}
}
```
</details>
### Root Cause Analysis
The tool description issues:
1. **`issue_number` behavior is context-dependent but not explained**: The description says "Required when the workflow target is '*'" but does not say it is **ignored** when the target is `triggering`. Agents reading this naturally assume providing `issue_number` will always target that specific issue.
2. **MCP tool returns success prematurely**: The MCP tool call returns `{"result":"success"}` even when execution will fail at the `safe_outputs` job. Agents have no in-session feedback that their target won't work.
3. **Target mode is not visible to agents**: Agents cannot see the workflow's `update-issue: target:` configuration. The only way to know which mode is active is from the tool description itself.
### Recommended Improvements
#### Update `issue_number` field description in `pkg/workflow/js/safe_outputs_tools.json`
**Current:**
```
Issue number to update. This is the numeric ID from the GitHub URL (e.g., 789 in
github.com/owner/repo/issues/789). Required when the workflow target is '*' (any issue).
```
**Suggested:**
```
Issue number to update. This is the numeric ID from the GitHub URL (e.g., 789 in
github.com/owner/repo/issues/789). ONLY effective when the workflow is configured with
`update-issue: target: '*'` in the frontmatter. When the workflow uses `target: triggering`
(the default), this field is ignored and the tool updates the issue that triggered the
workflow instead. If you need to update a specific issue in a scheduled or
workflow_dispatch workflow, the workflow frontmatter must include `update-issue:
target: '*'`.Also improve the top-level tool description
Add a note clarifying that update_issue behavior depends on the workflow's target configuration, and that the tool will fail (not skip silently) when target: triggering and there is no triggering issue.
Affected Workflows
workflow-health-manager— 1 error (scheduled run, tried to update issue Workflow Health Dashboard — 2026-03-21 | Score: 74/100 ↑8 #22108)
Testing Plan
After updating the tool description:
- Recompile all affected workflows with
make recompile - Check that
workflow-health-manager.mdis correctly configured (update-issue: target: '*'if it needs to update arbitrary issues, or ensure it's only enabled in issue-triggered contexts) - Monitor logs for 2-3 days to verify similar errors do not recur
Implementation Checklist
- Update
issue_numberfield description inpkg/workflow/js/safe_outputs_tools.json - Consider also updating
actions/setup/js/safe_outputs_tools.json - Update top-level
update_issuetool description to mention target dependency - Verify
workflow-health-manager.mdhas correctupdate-issuetarget config - Run
make buildto rebuild binary - Run
make recompileto update all workflows - Run
make testto ensure no regressions
References
- Tool schema:
pkg/workflow/js/safe_outputs_tools.json - Handler logic:
actions/setup/js/safe_output_helpers.cjs:81-110 - Implementation:
actions/setup/js/update_issue.cjs
Run with error: §23398187371
[!NOTE]
**🔒 Integrity filter blocked 1 item**
The following item were blocked because they don't meet the GitHub integrity level.
- #unknown
search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".To allow these resources, lower
min-integrityin your GitHub frontmatter:tools: github: min-integrity: approved # merged | approved | unapproved | none
Generated by Daily Safe Output Tool Optimizer · ◷
- expires on Mar 24, 2026, 3:52 PM UTC