Skip to content

Fix invalid checkout-pr output references in workflows without contents permission#14286

Merged
pelikhan merged 2 commits intomainfrom
copilot/fix-workflow-expression-errors
Feb 7, 2026
Merged

Fix invalid checkout-pr output references in workflows without contents permission#14286
pelikhan merged 2 commits intomainfrom
copilot/fix-workflow-expression-errors

Conversation

Copy link
Contributor

Copilot AI commented Feb 7, 2026
edited
Loading

Two workflows (issue-triage-agent, weekly-issue-summary) reference steps.checkout-pr.outputs.checkout_pr_success but lack contents: read permission, causing the step to be skipped. The compiler unconditionally added the output reference, creating invalid workflow expressions.

Changes

  • Added ShouldGeneratePRCheckoutStep() helper to check contents read permission
  • Made checkout_pr_success output conditional in compiler_activation_jobs.go (only added when step will be generated)
  • Made GH_AW_CHECKOUT_PR_SUCCESS env var conditional in notify_comment.go (conclusion job)
  • Added unit tests for permission-based step generation logic

Pattern

Follows existing pattern for conditional outputs (e.g., secret_verification_result):

// Only add output if the step will actually be generated
if ShouldGeneratePRCheckoutStep(data) {
    outputs["checkout_pr_success"] = "${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}"
}

Workflows with permissions: { issues: read } no longer generate the invalid reference. Workflows with contents: read preserve existing behavior.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Code Quality] Fix workflow expression errors in issue-triage-agent and weekly-issue-summary</issue_title>
<issue_description>## Description

Two workflows reference a non-existent checkout-pr job, causing runtime failures. The workflows attempt to access needs.checkout-pr.outputs but the checkout-pr job doesn't exist in the workflow definition.

Affected Workflows

  • .github/workflows/issue-triage-agent.lock.yml (line 90)
  • .github/workflows/weekly-issue-summary.lock.yml (line 93)

Error Details

Actionlint findings:

issue-triage-agent.lock.yml:90 - Property "checkout-pr" not defined
weekly-issue-summary.lock.yml:93 - Property "checkout-pr" not defined

Suggested Fix

Investigate the two workflows and either:

  1. Add the missing checkout-pr job if it's required for the workflow logic
  2. Remove the invalid needs.checkout-pr.outputs references if they're no longer needed
  3. Fix the job name if it was renamed but references weren't updated

Steps to Reproduce

  1. View the affected lock files: issue-triage-agent.lock.yml and weekly-issue-summary.lock.yml
  2. Search for references to checkout-pr
  3. Verify whether the job exists in the workflow

Success Criteria

  • Workflows compile without expression errors
  • actionlint validation passes for both workflows
  • Workflows run successfully without undefined property errors
  • All job dependencies are valid

Priority

High - These errors will cause workflow failures at runtime

Source

Extracted from Static Analysis Report discussion github/gh-aw#14235

Found by actionlint static analysis tool during comprehensive workflow scanning on February 6, 2026.

AI generated by Discussion Task Miner - Code Quality Improvement Agent

  • expires on Feb 8, 2026, 5:16 AM UTC

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@pelikhan
Fix workflow expression errors by making checkout_pr_success conditional
96abff7 
- Add ShouldGeneratePRCheckoutStep() helper to check if checkout-pr step will be generated
- Make checkout_pr_success output conditional based on contents read permission
- Update notify_comment.go to conditionally add GH_AW_CHECKOUT_PR_SUCCESS env var
- Add comprehensive unit tests for ShouldGeneratePRCheckoutStep()
- Recompile all workflows - fixes issue-triage-agent and weekly-issue-summary

Fixes #<issue_number>

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix workflow expression errors in issue triage agent and weekly issue summary Fix invalid checkout-pr output references in workflows without contents permission Feb 7, 2026
Copilot AI requested a review from pelikhan February 7, 2026 05:32
@pelikhan pelikhan marked this pull request as ready for review February 7, 2026 05:39
Copilot AI review requested due to automatic review settings February 7, 2026 05:39
@pelikhan pelikhan merged commit 080dad7 into main Feb 7, 2026
123 of 125 checks passed
@pelikhan pelikhan deleted the copilot/fix-workflow-expression-errors branch February 7, 2026 05:40
Copilot AI reviewed Feb 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes invalid GitHub Actions expressions produced by the workflow compiler when the checkout-pr step is skipped due to missing contents: read permissions, by making downstream references conditional on whether the step will be generated.

Changes:

  • Added ShouldGeneratePRCheckoutStep() to centralize the “has contents read access” check for PR checkout generation.
  • Made checkout_pr_success job output and GH_AW_CHECKOUT_PR_SUCCESS env var conditional on that permission check.
  • Updated the affected locked workflows to remove invalid steps.checkout-pr.outputs.* / needs.*.outputs.* references when contents permission isn’t present.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
pkg/workflow/pr_test.go Adds unit tests covering permission inputs for ShouldGeneratePRCheckoutStep().
pkg/workflow/pr.go Introduces ShouldGeneratePRCheckoutStep() and reuses it for PR checkout step generation gating.
pkg/workflow/notify_comment.go Conditionally injects GH_AW_CHECKOUT_PR_SUCCESS into conclusion/failure handling env vars.
pkg/workflow/compiler_activation_jobs.go Conditionally publishes checkout_pr_success job output only when checkout-pr step will exist.
.github/workflows/weekly-issue-summary.lock.yml Removes invalid checkout_pr_success output and env var references from the lockfile.
.github/workflows/issue-triage-agent.lock.yml Removes invalid checkout_pr_success output and env var references from the lockfile.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pkg/workflow/compiler_activation_jobs.go
Comment on lines +741 to +750
// Add checkout_pr_success output to track PR checkout status only if the checkout-pr step will be generated
// This is used by the conclusion job to skip failure handling when checkout fails
// (e.g., when PR is merged and branch is deleted)
outputs["checkout_pr_success"] = "${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}"
compilerActivationJobsLog.Print("Added checkout_pr_success output")
// The checkout-pr step is only generated when the workflow has contents read permission
if ShouldGeneratePRCheckoutStep(data) {
outputs["checkout_pr_success"] = "${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}"
compilerActivationJobsLog.Print("Added checkout_pr_success output (workflow has contents read access)")
} else {
compilerActivationJobsLog.Print("Skipped checkout_pr_success output (workflow lacks contents read access)")
}
Copy link

Copilot AI Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new conditional addition of checkout_pr_success output isn’t covered by unit tests. Since pkg/workflow/compiler_activation_jobs_test.go already exercises buildMainJob, add assertions for both cases (permissions with contents read/write vs. without contents) to ensure the output key is present/absent as expected and prevent regressions to invalid steps.checkout-pr.outputs.* references.

Copilot uses AI. Check for mistakes.
pkg/workflow/notify_comment.go
Comment on lines 165 to +169
// Add checkout_pr_success to detect PR checkout failures (e.g., PR merged and branch deleted)
agentFailureEnvVars = append(agentFailureEnvVars, fmt.Sprintf(" GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.%s.outputs.checkout_pr_success }}\n", mainJobName))
// Only add if the checkout-pr step will be generated (requires contents read access)
if ShouldGeneratePRCheckoutStep(data) {
agentFailureEnvVars = append(agentFailureEnvVars, fmt.Sprintf(" GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.%s.outputs.checkout_pr_success }}\n", mainJobName))
}
Copy link

Copilot AI Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GH_AW_CHECKOUT_PR_SUCCESS is now conditionally added based on permissions, but pkg/workflow/notify_comment_test.go doesn’t assert either the presence or absence of this env var. Add a test (or extend an existing one) covering both branches so workflows without contents: read don’t accidentally reintroduce invalid needs.<job>.outputs.checkout_pr_success references.

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot mentioned this pull request Feb 7, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Code Quality] Fix workflow expression errors in issue-triage-agent and weekly-issue-summary

3 participants

@pelikhan