This is the daily automated compatibility audit for gh-aw against top public repositories using lock files.
Summary
| Metric |
Value |
| Repositories tested |
20 |
| Successful compilations |
14 |
| Failed compilations |
6 (30%) |
| Compiler panics |
1 π¨ |
| gh-aw version |
74d8068 |
| Run timestamp |
2026-04-17 10:52 UTC |
| Run ID |
Β§24561385452 |
π¨ Critical: Compiler Panic
C-Ross/LlamaOfFate triggers a nil pointer dereference crash in gh-aw compile --strict when all workflow files are shared components (no on: field). This is a bug in the compiler itself.
panic: runtime error: invalid memory address or nil pointer dereference
github.com/github/gh-aw/pkg/workflow.scanWorkflowsForExpires(...)
pkg/workflow/maintenance_workflow.go:206
github.com/github/gh-aw/pkg/workflow.GenerateMaintenanceWorkflow(...)
pkg/workflow/maintenance_workflow.go:107
Root cause: scanWorkflowsForExpires does not guard against an empty/all-shared workflow slice. When there are no compilable workflows (all skipped as shared), the function receives nil or zero-length data and panics.
Fix required: Add nil/empty check in maintenance_workflow.go:206 before dereferencing workflow slice.
Failed Repositories
View all 6 failures
github/copilot-sdk (8,432 β) β Secrets in steps (strict mode)
cross-repo-issue-analysis.md:1:1: error: strict mode: secrets expressions detected in
'steps' section may be leaked to the agent job.
Found: $\{\{ secrets.RUNTIME_TRIAGE_TOKEN }}
Pattern: git clone (xaccesstoken/redacted):$\{\{ secrets.TOKEN }}@github.com/... in a run: step.
Fix: Move the clone to a separate job or use env: binding at step level.
microsoft/FluidFramework (4,920 β) β MCP server in tools section
duplicate-code-detector.md:1:1: error: tools.serena: unknown tool name.
If 'serena' is a custom MCP server, define it under 'mcp-servers' instead.
Pattern: tools:\n serena: ["typescript"]
Fix: Move serena from tools: to mcp-servers: with command/args definition.
AdaCore/z3 (0 β) β Cross-repo include auth + unknown safe-output
6 of 6 workflows fail:
failed to fetch file content: authentication token not found for host github.com (5 workflows, referencing agentics/shared/* private includes)Unknown property: push-to-pr-branch in safe-outputs section (pr-fix.md)
Fix for (2): push-to-pr-branch may be a removed/renamed safe-output property. Check current docs.
C-Ross/LlamaOfFate (0 β) β Compiler panic (see Critical section above)
Exit code: 2. All 4 workflow files are shared components with no on: field.
Pierre-VF/oss4climate (0 β) β Duplicate YAML mapping key
repo-assist.md:36:3: error: mapping key "allowed" already defined at [28:3]
Pattern: allowed: key appears twice in the network: section.
Fix: Merge both allowed: blocks into a single list.
TJKlein/mcpruntime (0 β) β Secrets in engine.env (strict mode)
All 3 workflows fail:
engine.env section will be leaked to the agent container.
Found: $\{\{ secrets.AZURE_OPENAI_ENDPOINT }}
Pattern: Azure OpenAI credentials in engine.env for custom codex engine.
Fix: Use engine-specific secret configuration instead of inline engine.env.
Fix Pass Effectiveness
The gh aw fix --write pass resolved 0 of 6 failures. The fix codemods do not yet cover secrets-in-strict-mode violations, tools/mcp-servers confusion, auth-required includes, or compiler panics.
Recommendations
- Bug fix (priority: high): Fix nil pointer in
maintenance_workflow.go:206 β crashes on all-shared-workflow repos
- Codemod: Add
tools β mcp-servers migration codemod for fix --write
- Documentation: Clarify
push-to-pr-branch removal/rename in safe-outputs changelog
- Recurring error: Secrets in strict mode (2 repos) β see companion issue
References:
Generated by Daily AW Cross-Repo Compile Check Β· β 681.5K Β· β·
This is the daily automated compatibility audit for
gh-awagainst top public repositories using lock files.Summary
74d8068π¨ Critical: Compiler Panic
C-Ross/LlamaOfFatetriggers anil pointer dereferencecrash ingh-aw compile --strictwhen all workflow files are shared components (noon:field). This is a bug in the compiler itself.Root cause:
scanWorkflowsForExpiresdoes not guard against an empty/all-shared workflow slice. When there are no compilable workflows (all skipped as shared), the function receivesnilor zero-length data and panics.Fix required: Add nil/empty check in
maintenance_workflow.go:206before dereferencing workflow slice.Failed Repositories
View all 6 failures
github/copilot-sdk (8,432 β) β Secrets in steps (strict mode)
Pattern:
git clone (xaccesstoken/redacted):$\{\{ secrets.TOKEN }}@github.com/...in arun:step.Fix: Move the clone to a separate job or use
env:binding at step level.microsoft/FluidFramework (4,920 β) β MCP server in tools section
Pattern:
tools:\n serena: ["typescript"]Fix: Move
serenafromtools:tomcp-servers:withcommand/argsdefinition.AdaCore/z3 (0 β) β Cross-repo include auth + unknown safe-output
6 of 6 workflows fail:
failed to fetch file content: authentication token not found for host github.com(5 workflows, referencingagentics/shared/*private includes)Unknown property: push-to-pr-branchinsafe-outputssection (pr-fix.md)Fix for (2):
push-to-pr-branchmay be a removed/renamed safe-output property. Check current docs.C-Ross/LlamaOfFate (0 β) β Compiler panic (see Critical section above)
Exit code: 2. All 4 workflow files are shared components with no
on:field.Pierre-VF/oss4climate (0 β) β Duplicate YAML mapping key
Pattern:
allowed:key appears twice in thenetwork:section.Fix: Merge both
allowed:blocks into a single list.TJKlein/mcpruntime (0 β) β Secrets in engine.env (strict mode)
All 3 workflows fail:
Pattern: Azure OpenAI credentials in
engine.envfor customcodexengine.Fix: Use engine-specific secret configuration instead of inline
engine.env.Fix Pass Effectiveness
The
gh aw fix --writepass resolved 0 of 6 failures. The fix codemods do not yet cover secrets-in-strict-mode violations, tools/mcp-servers confusion, auth-required includes, or compiler panics.Recommendations
maintenance_workflow.go:206β crashes on all-shared-workflow repostools β mcp-serversmigration codemod forfix --writepush-to-pr-branchremoval/rename in safe-outputs changelogReferences: