Skip to content

fix: use artifact prefix in conclusion job and script step downloads for workflow_call context#21011

Merged
pelikhan merged 6 commits intomainfrom
copilot/fix-agent-artifact-naming
Mar 15, 2026
Merged

fix: use artifact prefix in conclusion job and script step downloads for workflow_call context#21011
pelikhan merged 6 commits intomainfrom
copilot/fix-agent-artifact-naming

Conversation

Copy link
Contributor

Copilot AI commented Mar 15, 2026
edited
Loading

In workflow_call compiled workflows, downstream jobs were downloading the agent artifact using the unprefixed name agent while the upload step correctly used ${{ needs.activation.outputs.artifact_prefix }}agent. This caused downloads to miss, leaving GH_AW_AGENT_OUTPUT unset and breaking downstream safe-output processing (noop, missing-tool, agent-failure handlers).

Changes

  • notify_comment.gobuildConclusionJob now passes artifactPrefixExprForDownstreamJob(data) (needs.activation.outputs.artifact_prefix) to buildAgentOutputDownloadSteps. The conclusion job always has activation in its needs, so this expression is valid.
  • safe_outputs_jobs.gobuildCustomActionStep and buildGitHubScriptStep now pass artifactPrefixExprForAgentDownstreamJob(data) (needs.agent.outputs.artifact_prefix) to buildAgentOutputDownloadSteps. Jobs built via buildSafeOutputJob (e.g. upload_assets) only declare needs: [agent], not activation, so the agent-downstream expression must be used.
  • notify_comment_test.go — Two new tests asserting the prefixed name is used in workflow_call context and no prefix is added for regular triggers.
  • safe_output_helpers_test.go — Two new tests asserting buildGitHubScriptStep uses needs.agent.outputs.artifact_prefix in workflow_call context and no prefix otherwise.
  • smoke-workflow-call.lock.yml — Recompiled; conclusion job and script step downloads now correctly emit the prefixed artifact name.

The fix aligns all download code paths with what buildConsolidatedSafeOutputsJob already did correctly, using the appropriate prefix expression for each job's dependency graph.

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

Copilot AI and others added 2 commits March 14, 2026 21:41
Initial plan
cb374eb
@pelikhan
fix: use artifact prefix in conclusion and script step downloads for …
6e2d40d 
…workflow_call context

In workflow_call-compiled lock files, the conclusion job was downloading the
agent artifact with an unprefixed name ('agent') while the upload step used
the per-invocation prefix ('${{ needs.activation.outputs.artifact_prefix }}agent').

This mismatch caused the download to miss, leaving GH_AW_AGENT_OUTPUT unset
and breaking downstream safe-output processing.

Fix: pass artifactPrefixExprForDownstreamJob(data) to buildAgentOutputDownloadSteps
in buildConclusionJob, buildGitHubScriptStep, and buildCustomActionStep.

Also adds two new tests:
- TestConclusionJobWorkflowCallArtifactPrefix: verifies prefixed artifact name in workflow_call context
- TestConclusionJobNonWorkflowCallNoArtifactPrefix: verifies no prefix in non-workflow_call context

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI linked an issue Mar 15, 2026 that may be closed by this pull request
workflow_call safe_outputs can download unprefixed agent artifact name #20910
Closed
@pelikhan pelikhan marked this pull request as ready for review March 15, 2026 01:42
Copilot AI review requested due to automatic review settings March 15, 2026 01:42
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes artifact download naming in workflow_call compiled workflows by ensuring downstream jobs use the same artifact name prefix as the upload step, preventing missing downloads and broken safe-output handlers.

Changes:

  • Pass the workflow-call artifact prefix into the conclusion job’s agent artifact download step.
  • Apply the same prefix to agent artifact downloads in safe-output step builders.
  • Add tests to validate prefixed vs unprefixed behavior, and recompile workflow-call smoke lock workflows.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pkg/workflow/notify_comment.go Conclusion job now downloads the agent artifact using the workflow-call prefix expression.
pkg/workflow/safe_outputs_jobs.go Safe-output step builders now pass an artifact prefix expression into agent artifact downloads.
pkg/workflow/notify_comment_test.go Adds tests asserting prefixed download name for workflow_call and no prefix for non-workflow_call.
.github/workflows/smoke-workflow-call.lock.yml Recompiled lockfile reflects prefixed agent artifact download name in conclusion job.
.github/workflows/smoke-workflow-call-with-inputs.lock.yml Same as above for the “with inputs” smoke workflow lockfile.
Comments suppressed due to low confidence (1)

pkg/workflow/safe_outputs_jobs.go:193

  • artifactPrefixExprForDownstreamJob(data) expands to needs.activation.outputs.artifact_prefix in workflow_call workflows, but safe-output jobs that use this step builder (e.g. upload_assets built in publish_assets.go) only declare needs: [agent] and do not include activation. That makes the generated workflow invalid at runtime when the expression is evaluated. Use artifactPrefixExprForAgentDownstreamJob(data) here (since these jobs already depend on the agent job and the agent propagates artifact_prefix), or ensure the job's needs always includes activation when workflow_call is enabled.
	// Add artifact download steps before the custom action step.
	// In workflow_call context, use the per-invocation prefix to avoid artifact name clashes.
	steps = append(steps, buildAgentOutputDownloadSteps(artifactPrefixExprForDownstreamJob(data))...)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@pelikhan
Copy link
Contributor

pelikhan commented Mar 15, 2026

@copilot review comments

@pelikhan
fix: use agent-downstream artifact prefix in buildGitHubScriptStep an…
5f16465 
…d buildCustomActionStep

buildSafeOutputJob-based jobs (e.g. upload_assets) only depend on the agent job,
not the activation job. Using needs.activation.outputs.artifact_prefix in those
jobs would break workflow_call workflows since activation is not in their needs.

Use artifactPrefixExprForAgentDownstreamJob (needs.agent.outputs.artifact_prefix)
in buildGitHubScriptStep and buildCustomActionStep instead.

Also adds two tests verifying the correct prefix expression is used per context.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 15, 2026
edited
Loading

@copilot review comments

Fixed in 5f16465. Changed buildGitHubScriptStep and buildCustomActionStep to use artifactPrefixExprForAgentDownstreamJob (needs.agent.outputs.artifact_prefix) instead of artifactPrefixExprForDownstreamJob (needs.activation.outputs.artifact_prefix). Jobs built via buildSafeOutputJob (e.g. upload_assets) only declare needs: [agent], not activation, so the activation-based expression would be undefined in those jobs.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD ode-gyp-bin/sh go env ck &#39;scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env ck &#39;scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --noprofile (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -unreachable=false /tmp/go-build3054811836/b213/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 4811836/b213/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 4811836/b224/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 4811836/b198/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 4811836/b219/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 4811836/b230/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha se 4811836/b215/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha se 4811836/b216/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha 6338267/b358/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/math-t GOMODCACHE go env IsiN/-5Z7JdU1nRtGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 6338267/b358/importcfg (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility /tmp/go-build1686338267/b415/_pkGOINSECURE -trimpath 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path /bin/sh (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from pelikhan March 15, 2026 01:56
@pelikhan pelikhan merged commit 47ab8dd into main Mar 15, 2026
52 checks passed
@pelikhan pelikhan deleted the copilot/fix-agent-artifact-naming branch March 15, 2026 02:04
@github-actions github-actions bot mentioned this pull request Mar 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

workflow_call safe_outputs can download unprefixed agent artifact name

3 participants

@pelikhan