github · pelikhan · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026
diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml
diff --git a/.github/workflows/breaking-change-checker.md b/.github/workflows/breaking-change-checker.md
@@ -129,12 +129,18 @@ Is it removing schema fields or making optional fields required?
 
 ### If NO Breaking Changes Found
 
-Output a noop message:
-
-```
-No breaking changes detected in commits from the last 24 hours. Analysis complete.
+**YOU MUST CALL** the `noop` tool to log completion:
+
+```json
+{
+  "noop": {
+    "message": "No breaking changes detected in commits from the last 24 hours. Analysis complete."
+  }
+}
 ```
 
+**DO NOT just write this message in your output text** - you MUST actually invoke the `noop` tool. The workflow will fail if you don't call it.
+
 Do NOT create an issue if there are no breaking changes.
 
 ### If Breaking Changes Found

diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml
diff --git a/.github/workflows/daily-malicious-code-scan.md b/.github/workflows/daily-malicious-code-scan.md
@@ -256,7 +256,7 @@ A successful malicious code scan:
 - ✅ Scans for secret exfiltration patterns
 - ✅ Detects out-of-context code
 - ✅ Checks for suspicious system operations
-- ✅ Generates code-scanning alerts (not issues) for findings
+- ✅ **Calls the `create_code_scanning_alert` tool for findings OR calls the `noop` tool if clean**
 - ✅ Provides detailed, actionable alert descriptions
 - ✅ Completes within 15-minute timeout
 - ✅ Handles repositories with no changes gracefully
@@ -266,19 +266,22 @@ A successful malicious code scan:
 Your output MUST:
 
 1. **If suspicious patterns are found**:
-   - Generate code-scanning alerts using the `create_code_scanning_alert` output format
+   - **CALL** the `create_code_scanning_alert` tool for each finding
    - Each alert must include: rule_id, message, severity, file_path, start_line, description
    - Provide detailed descriptions explaining the threat and remediation
 
-2. **If no suspicious patterns are found**:
-   - Use the `noop` output to log completion:
+2. **If no suspicious patterns are found** (REQUIRED):
+   - **YOU MUST CALL** the `noop` tool to log completion
+   - This is a **required safe output** - the workflow will fail if you don't call it
+   - Call the tool with this message structure:
    ```json
    {
      "noop": {
        "message": "✅ Daily malicious code scan completed. Analyzed [N] files changed in the last 3 days. No suspicious patterns detected."
      }
    }
    ```
+   - **DO NOT just write this message in your output text** - you MUST actually invoke the `noop` tool
 
 3. **Analysis summary** (in alert descriptions or noop message):
    - Number of files analyzed
@@ -311,4 +314,12 @@ Your output MUST:
 }
 ```
 
+## ⚠️ CRITICAL REMINDER
+
+**YOU MUST produce a safe output:**
+- **If threats found**: Call the `create_code_scanning_alert` tool for each finding
+- **If no threats found**: Call the `noop` tool with a completion message
+
+**The workflow WILL FAIL if you don't call one of these tools.** Writing a message in your output text is NOT sufficient - you must actually invoke the tool.
+
 Begin your daily malicious code scan now. Analyze all code changes from the last 3 days, identify suspicious patterns, and generate appropriate code-scanning alerts for any threats detected.