From eb3084282089efbc9d4ea21b2c69ab8cf1cb371b Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Mon, 9 Mar 2026 20:29:42 +0000
Subject: [PATCH] Add debug logging to artifact manager, update command, and
 MCP config utils

- artifact_manager.go: Log when NewArtifactManager() constructs a new manager
- create_code_scanning_alert.go: Log driver name, target-repo, allowed-repos count,
  and parsed config summary in parseCodeScanningAlertsConfig
- logs_utils.go: Log count of .lock.yml files found and each discovered workflow name
- mcp_config_utils.go: Log the shouldRewriteLocalhostToDocker decision result
- update_command.go: Log before UpdateActions and UpdateActionsInWorkflowFiles calls,
  and log completion status in RunUpdateWorkflows

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 pkg/cli/logs_utils.go                      |  3 +++
 pkg/cli/update_command.go                  |  3 +++
 pkg/workflow/artifact_manager.go           |  1 +
 pkg/workflow/create_code_scanning_alert.go | 10 ++++++++++
 pkg/workflow/mcp_config_utils.go           |  4 +++-
 5 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/pkg/cli/logs_utils.go b/pkg/cli/logs_utils.go
index 2b6019e9b74..269c9746ad6 100644
--- a/pkg/cli/logs_utils.go
+++ b/pkg/cli/logs_utils.go
@@ -38,6 +38,8 @@ func getAgenticWorkflowNames(verbose bool) ([]string, error) {
 		return nil, fmt.Errorf("failed to glob .lock.yml files: %w", err)
 	}
 
+	logsUtilsLog.Printf("Found %d .lock.yml file(s) in %s", len(files), workflowsDir)
+
 	for _, file := range files {
 		if verbose {
 			fmt.Fprintln(os.Stderr, console.FormatInfoMessage("Reading workflow file: "+file))
@@ -64,6 +66,7 @@ func getAgenticWorkflowNames(verbose bool) ([]string, error) {
 					name = strings.Trim(name, `"'`)
 					if name != "" {
 						workflowNames = append(workflowNames, name)
+						logsUtilsLog.Printf("Discovered workflow name: %s (from %s)", name, file)
 						if verbose {
 							fmt.Fprintln(os.Stderr, console.FormatInfoMessage("Found agentic workflow: "+name))
 						}
diff --git a/pkg/cli/update_command.go b/pkg/cli/update_command.go
index e41841c2335..ba470c3a727 100644
--- a/pkg/cli/update_command.go
+++ b/pkg/cli/update_command.go
@@ -121,6 +121,7 @@ func RunUpdateWorkflows(workflowNames []string, allowMajor, force, verbose bool,
 	// Update GitHub Actions versions in actions-lock.json.
 	// By default all actions are updated to the latest major version.
 	// Pass --disable-release-bump to revert to only forcing updates for core (actions/*) actions.
+	updateLog.Printf("Updating GitHub Actions versions in actions-lock.json: allowMajor=%v, disableReleaseBump=%v", allowMajor, disableReleaseBump)
 	if err := UpdateActions(allowMajor, verbose, disableReleaseBump); err != nil {
 		// Non-fatal: warn but don't fail the update
 		fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Warning: Failed to update actions-lock.json: %v", err)))
@@ -128,10 +129,12 @@ func RunUpdateWorkflows(workflowNames []string, allowMajor, force, verbose bool,
 
 	// Update action references in user-provided steps within workflow .md files.
 	// By default all org/repo@version references are updated to the latest major version.
+	updateLog.Print("Updating action references in workflow .md files")
 	if err := UpdateActionsInWorkflowFiles(workflowsDir, engineOverride, verbose, disableReleaseBump, noCompile); err != nil {
 		// Non-fatal: warn but don't fail the update
 		fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Warning: Failed to update action references in workflow files: %v", err)))
 	}
 
+	updateLog.Printf("Update process complete: had_error=%v", firstErr != nil)
 	return firstErr
 }
diff --git a/pkg/workflow/artifact_manager.go b/pkg/workflow/artifact_manager.go
index 966c9fb97a1..abd1635ff63 100644
--- a/pkg/workflow/artifact_manager.go
+++ b/pkg/workflow/artifact_manager.go
@@ -87,6 +87,7 @@ type ArtifactFile struct {
 
 // NewArtifactManager creates a new artifact manager
 func NewArtifactManager() *ArtifactManager {
+	artifactManagerLog.Print("Creating new artifact manager")
 	return &ArtifactManager{
 		uploads:   make(map[string][]*ArtifactUpload),
 		downloads: make(map[string][]*ArtifactDownload),
diff --git a/pkg/workflow/create_code_scanning_alert.go b/pkg/workflow/create_code_scanning_alert.go
index 56ea1b004a4..45475997c29 100644
--- a/pkg/workflow/create_code_scanning_alert.go
+++ b/pkg/workflow/create_code_scanning_alert.go
@@ -29,22 +29,32 @@ func (c *Compiler) parseCodeScanningAlertsConfig(outputMap map[string]any) *Crea
 		if driver, exists := configMap["driver"]; exists {
 			if driverStr, ok := driver.(string); ok {
 				securityReportsConfig.Driver = driverStr
+				createCodeScanningAlertLog.Printf("Using custom SARIF driver name: %s", driverStr)
 			}
 		}
 
 		// Parse target-repo
 		securityReportsConfig.TargetRepoSlug = parseTargetRepoFromConfig(configMap)
+		if securityReportsConfig.TargetRepoSlug != "" {
+			createCodeScanningAlertLog.Printf("Target repo for code scanning alerts: %s", securityReportsConfig.TargetRepoSlug)
+		}
 
 		// Parse allowed-repos
 		securityReportsConfig.AllowedRepos = parseAllowedReposFromConfig(configMap)
+		if len(securityReportsConfig.AllowedRepos) > 0 {
+			createCodeScanningAlertLog.Printf("Allowed repos for cross-repo alerts: %d configured", len(securityReportsConfig.AllowedRepos))
+		}
 
 		// Parse common base fields with default max of 0 (unlimited)
 		c.parseBaseSafeOutputConfig(configMap, &securityReportsConfig.BaseSafeOutputConfig, 0)
 	} else {
 		// If configData is nil or not a map (e.g., "create-code-scanning-alert:" with no value),
 		// still set the default max (nil = unlimited)
+		createCodeScanningAlertLog.Print("No config map provided, using defaults (unlimited max)")
 		securityReportsConfig.Max = nil
 	}
 
+	createCodeScanningAlertLog.Printf("Parsed create-code-scanning-alert config: driver=%q, target-repo=%q, allowed-repos=%d",
+		securityReportsConfig.Driver, securityReportsConfig.TargetRepoSlug, len(securityReportsConfig.AllowedRepos))
 	return securityReportsConfig
 }
diff --git a/pkg/workflow/mcp_config_utils.go b/pkg/workflow/mcp_config_utils.go
index c023e643a7e..c58de73f7e3 100644
--- a/pkg/workflow/mcp_config_utils.go
+++ b/pkg/workflow/mcp_config_utils.go
@@ -82,9 +82,11 @@ func rewriteLocalhostToDockerHost(url string) string {
 // running on the host. Rewriting is enabled whenever the agent sandbox is active
 // (i.e. sandbox.agent is not explicitly disabled).
 func shouldRewriteLocalhostToDocker(workflowData *WorkflowData) bool {
-	return workflowData != nil && (workflowData.SandboxConfig == nil ||
+	result := workflowData != nil && (workflowData.SandboxConfig == nil ||
 		workflowData.SandboxConfig.Agent == nil ||
 		!workflowData.SandboxConfig.Agent.Disabled)
+	mcpUtilsLog.Printf("shouldRewriteLocalhostToDocker: %v (agent sandbox active)", result)
+	return result
 }
 
 // noOpCacheMemoryRenderer is a no-op MCPToolRenderers.RenderCacheMemory function for engines