[aw-failures] Schema Feature Coverage Checker: protected-files config blocks all PRs from schema-demo-*.md outputs

[github-actions]

Problem Statement

The Schema Feature Coverage Checker workflow has been blocked 100% on every run because it produces patches targeting .github/workflows/schema-demo-*.md files, which are covered by the default protected-files policy. The workflow can never succeed in its current state.

Affected Workflow & Run IDs

• Workflow: Schema Feature Coverage Checker (workflow ID: schema-feature-coverage)
• Representative failing run: §24981796377 — 2026-04-27
• Related auto-issue: [aw] Schema Feature Coverage Checker failed #28671

Root Cause

The workflow's agent (Codex) correctly identifies schema fields not covered by existing workflows and creates demo workflow files at .github/workflows/schema-demo-<field>.md. All of these paths match the default protected-files patterns, which include all content under .github/workflows/.

Exact error (× 10 branches in run §24981796377):

Cannot create pull request: patch modifies protected files (.github/workflows/schema-demo-bots.md).
Add them to the allowed-files configuration field or set protected-files: fallback-to-issue 
to create a review issue instead.

Proposed Remediation

One of two options, in order of preference:

Option 1 — Add allowed-files to the workflow frontmatter (recommended):

safe-outputs:
  create-pull-request:
    allowed-files:
      - ".github/workflows/schema-demo-*.md"

This explicitly permits the workflow to push schema demo files while maintaining protection on all other workflow files.

Option 2 — Enable fallback-to-issue:

safe-outputs:
  create-pull-request:
    protected-files:
      fallback-to-issue: true

This creates review issues instead of blocked PRs, which is less ideal since the primary goal is to open PRs.

Success Criteria

• GH_AW_CODE_PUSH_FAILURE_COUNT = 0 on the next run
• At least one schema-demo PR opens successfully targeting .github/workflows/schema-demo-<field>.md
• Auto-issue [aw] Schema Feature Coverage Checker failed #28671 closes on next successful run

Parent Report

Part of investigation report #28673.

Generated by [aw] Failure Investigator (6h) · ● 882.3K · ◷

• expires on May 4, 2026, 7:54 AM UTC

[github-actions]

🍪 *Issue Monster selected this for Copilotecho BEGIN___COMMAND_OUTPUT_MARKER ; PS1= ; PS2= ; unset HISTFILE ; EC=0 ; echo ___BEGIN___COMMAND_DONE_MARKER___0 ; }

I've identified this issue as a good candidate for automated resolution and requested assignment to the Copilot coding agent.

If assignment succeeds, the Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

Caution

Security scanning requires review for Issue Monster

Details

Potential security threats were detected in the agent output. The workflow output should be reviewed before merging.

Review the workflow run logs for details.

🍪 Om nom nom by Issue Monster · ● 27.4K · ◷