Skip to content

Surface GitHub App authentication failures as explicit errors in agent failure issues#21424

Merged
pelikhan merged 6 commits intomainfrom
copilot/track-authentication-errors
Mar 17, 2026
Merged

Surface GitHub App authentication failures as explicit errors in agent failure issues#21424
pelikhan merged 6 commits intomainfrom
copilot/track-authentication-errors

Conversation

Copy link
Contributor

Copilot AI commented Mar 17, 2026
edited
Loading

When a GitHub App token minting step fails (bad credentials, missing installation, wrong permissions), the failure was silent — the safe_outputs or conclusion job would fail with no actionable message in the failure tracking issue.

Changes

Output tracking for token minting outcomes

  • compiler_safe_outputs_job.go: Exposes app_token_minting_failed as a job output (steps.safe-outputs-app-token.outcome == 'failure') when safe-outputs.github-app is configured
  • compiler_activation_job.go: Exposes activation_app_token_minting_failed similarly for the activation job's on.github-app token step

Conclusion job wiring

  • notify_comment.go: Passes three new env vars to the Handle Agent Failure step — GH_AW_SAFE_OUTPUTS_APP_TOKEN_MINTING_FAILED, GH_AW_CONCLUSION_APP_TOKEN_MINTING_FAILED (conclusion job's own step outcome), and GH_AW_ACTIVATION_APP_TOKEN_MINTING_FAILED
  • Adds StepCondition: "always()" to the Handle Agent Failure step so it runs even when the conclusion job's own GitHub App token step fails (they share the same credentials)

Step condition support

  • safe_outputs_steps.go: Added StepCondition string field to GitHubScriptStepConfig; buildGitHubScriptStepWithoutDownload emits if: {condition} when set

Failure message

  • handle_agent_failure.cjs: Adds buildAppTokenMintingFailedContext() — emitted when any of the three token flags is true. Triggers issue creation even when agent conclusion is not failure. Error message lists the four common causes (App ID, private key, installation, permissions).
  • agent_failure_issue.md / agent_failure_comment.md: Added {app_token_minting_failed_context} placeholder after {inference_access_error_context}
🔑 GitHub App Authentication Failed: Failed to generate a GitHub App installation access token.

This is typically caused by an incorrect GitHub App configuration. Please verify:
- The App ID secret/variable is set correctly
- The private key secret contains a valid PEM-encoded RSA private key
- The GitHub App is installed on the target repository or organization
- The App has the required permissions for your workflow's safe-outputs

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ation_test.go 64/bin/git bash --no�� h ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ation_test.go p/bin/git bash tdat�� h ../../../.pret.prettierignore (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha th .prettierignoremote.origin.url *_test.go $name) { hasDiscussionsEnabled } } p_workflow_test.git b_toolset_integr-C x86_64/grep bash ode_�� --noprofile git tions/setup/node_modules/.bin/sh ation g/workflow/compi-1 x86_64/bash git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha th .prettierignoremote.origin.url er_id_test.go $name) { hasDiscussionsEnabled } } p_workflow_test.infocmp s $k => $v) echo-1 cal/bin/bash bash ode_�� --noprofile git de_modules/.bin/sh ation g/workflow/compi-C g/workflow/compi/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha h ../../../.pret.prettierignore (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --noprofile (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Ensure that authentication errors from a GitHub App configuration are explicitly surfaced as authentication failures in the agent failure issue created in the conclusion job. Track the success of these tasks through their outputs, and present a clear message to the user indicating that the GitHub App configuration is incorrect.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@pelikhan
Initial plan for surfacing GitHub App auth errors
e1fdd8d 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Mar 17, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Mar 17, 2026

Hey @Copilot 👋 — thanks for kicking off work on surfacing GitHub App authentication failures more clearly in the agent failure issue flow! Helping users understand when their GitHub App is misconfigured is a meaningful improvement.

A few things to address before this is ready for review:

  • Diff doesn't reflect the stated goal yet — the only change currently in this PR removes a single # comment from .github/workflows/daily-safe-output-integrator.lock.yml, which is an auto-generated file that should not be manually edited. The core changes described in the checklist (handle_agent_failure.cjs, notify_comment.go, compiler_safe_outputs_job.go, templates, etc.) haven't been committed yet.
  • Most checklist items are unchecked — the PR is in a very early WIP state with the vast majority of the planned implementation still pending.
  • No tests yet — the plan calls for new tests in handle_agent_failure.test.cjs (using Vitest), but none have been committed. Existing test patterns in that file use describe/it/expect with vi.mock for mocking the GitHub API client.
  • Remember to run make agent-finish — as required by CONTRIBUTING.md, this must pass before the PR is ready for review.

If you'd like a hand finishing the implementation, you can assign this prompt to your coding agent:

Continue implementing GitHub App authentication failure handling in the gh-aw repository, as outlined in PR #21424. All changes should be made against the `copilot/track-authentication-errors` branch.

The following tasks are still pending:

1. **Add `StepCondition` field to `GitHubScriptStepConfig`** to support `if: always()` on individual steps (so the Handle Agent Failure step can run even when the conclusion job's own token fails).

2. **Track `app_token_minting_failed` output in `pkg/workflow/compiler_safe_outputs_job.go`** — when a GitHub App is configured, capture the app token minting result as a safe output so it can be referenced downstream.

3. **Track `activation_app_token_minting_failed` output** in the activation job with the same approach.

4. **Update `pkg/workflow/notify_comment.go` (conclusion job)**:
   - Pass app token minting failure env vars to the Handle Agent Failure step.
   - Add `if: always()` to the Handle Agent Failure step via the new `StepCondition` field.

5. **Add `buildAppTokenMintingFailedContext()` to `actions/setup/js/handle_agent_failure.cjs`**:
   - Read relevant env vars for `app_token_minting_failed` and `activation_app_token_minting_failed`.
   - Return a formatted markdown string (with emoji, explanation, and remediation hint) when either flag is set.
   - Export the new function.

6. **Add `hasAppTokenMintingFailed` condition check** in `handle_agent_failure.cjs` main flow.

7. **Add `{app_token_minting_failed_context}` placeholder** to both `agent_failure_issue.md` and `agent_failure_comment.md` templates in the appropriate templates directory.

8. **Add Vitest tests in `actions/setup/js/handle_agent_failure.test.cjs`** covering:
   - `buildAppTokenMintingFailedContext` returns empty string when no failure.
   - Returns a formatted message when `app_token_minting_failed` is set.
   - Returns a formatted message when `activation_app_token_minting_failed` is set.
   - Returns a combined message when both are set.

9. **Run `make agent-finish` and `make recompile`** to validate all changes compile, tests pass, and generated files are up to date. Do NOT manually edit any `.lock.yml` files — those are auto-generated.

Generated by Contribution Check ·

@pelikhan
Surface GitHub App auth errors as explicit failures in agent failure …
4427a0e 
…issue

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add explicit handling for GitHub App authentication failures Surface GitHub App authentication failures as explicit errors in agent failure issues Mar 17, 2026
Copilot AI requested a review from pelikhan March 17, 2026 17:49
pelikhan
pelikhan reviewed Mar 17, 2026
View reviewed changes
@pelikhan
Move app token minting error text to actions/setup/md/app_token_minti…
e4e90f6 
…ng_failed.md

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan March 17, 2026 21:15
This was referenced Mar 17, 2026
Closed
Closed
pelikhan
pelikhan reviewed Mar 17, 2026
View reviewed changes
@pelikhan
Use renderTemplate to render app_token_minting_failed.md
fbf5869 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan March 17, 2026 22:30
This was referenced Mar 17, 2026
Closed
Closed
@github-actions github-actions bot mentioned this pull request Mar 17, 2026
Closed
@pelikhan pelikhan marked this pull request as ready for review March 17, 2026 23:15
Copilot AI review requested due to automatic review settings March 17, 2026 23:15
@pelikhan pelikhan merged commit 229a7fe into main Mar 17, 2026
53 checks passed
@pelikhan pelikhan deleted the copilot/track-authentication-errors branch March 17, 2026 23:16
@github-actions github-actions bot mentioned this pull request Mar 17, 2026
Closed
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Surface GitHub App authentication (installation token minting) failures as explicit, actionable context in the agent failure issue/comment generated from the conclusion job.

Changes:

  • Expose GitHub App token minting failure status as job outputs for safe_outputs and activation, and as a step outcome flag for the conclusion job.
  • Ensure the “Handle Agent Failure” step runs even if earlier conclusion steps (notably GitHub App token minting) fail by adding if: always().
  • Extend handle_agent_failure.cjs and templates to render a dedicated GitHub App auth failure section, with tests and a new markdown prompt.

Reviewed changes

Copilot reviewed 177 out of 177 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
pkg/workflow/safe_outputs_steps.go Adds optional step-level if: support for github-script steps (used to force failure handling to run).
pkg/workflow/notify_comment.go Wires new env vars for app token minting failure flags; sets “Handle Agent Failure” to always().
pkg/workflow/compiler_safe_outputs_job.go Exposes app_token_minting_failed as a safe_outputs job output (derived from token step outcome).
pkg/workflow/compiler_activation_job.go Exposes activation_app_token_minting_failed as an activation job output (derived from token step outcome).
actions/setup/md/app_token_minting_failed.md New prompt content describing common GitHub App auth misconfiguration causes and remediation.
actions/setup/md/agent_failure_issue.md Adds {app_token_minting_failed_context} placeholder into the issue template.
actions/setup/md/agent_failure_comment.md Adds {app_token_minting_failed_context} placeholder into the comment template.
actions/setup/js/handle_agent_failure.test.cjs Adds unit tests for the new GitHub App token minting failure context builder.
actions/setup/js/handle_agent_failure.cjs Adds buildAppTokenMintingFailedContext() and triggers failure reporting when token minting fails even if agent didn’t.
.github/workflows/workflow-skill-extractor.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/workflow-normalizer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/workflow-health-manager.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/workflow-generator.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/weekly-issue-summary.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/weekly-editors-health-check.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/video-analyzer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/update-astro.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/unbloat-docs.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/ubuntu-image-analyzer.lock.yml Ensures “Handle Agent Failure” runs with if: always() and wires activation token minting failure env var where present.
.github/workflows/typist.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/tidy.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/test-project-url-default.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/test-dispatcher.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/test-create-pr-error-handling.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/terminal-stylist.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/technical-doc-writer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/super-linter.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/sub-issue-closer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/step-name-alignment.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/static-analysis-report.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/stale-repo-identifier.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-workflow-call.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-workflow-call-with-inputs.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-update-cross-repo-pr.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-test-tools.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-temporary-id.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-project.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-multi-pr.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-gemini.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-create-cross-repo-pr.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-copilot.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-copilot-arm.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-codex.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-claude.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-call-workflow.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-agent-scoped-approved.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-agent-public-none.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-agent-public-approved.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-agent-all-none.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/smoke-agent-all-merged.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/slide-deck-maintainer.lock.yml Ensures “Handle Agent Failure” runs with if: always() and wires activation token minting failure env var where present.
.github/workflows/sergo.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/semantic-function-refactor.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/security-review.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/security-compliance.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/security-alert-burndown.campaign.g.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/scout.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/schema-consistency-checker.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/safe-output-health.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/research.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/repository-quality-improver.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/repo-tree-map.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/repo-audit-analyzer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/release.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/refiner.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/q.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/python-data-charts.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/prompt-clustering-analysis.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/pr-triage-agent.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/pr-nitpick-reviewer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/portfolio-analyst.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/poem-bot.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/plan.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/pdf-summary.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/org-health-report.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/notion-issue-summary.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/mergefest.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/mcp-inspector.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/lockfile-stats.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/layout-spec-maintainer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/jsweep.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/issue-triage-agent.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/issue-monster.lock.yml Ensures “Handle Agent Failure” runs with if: always() and wires activation token minting failure env var where present.
.github/workflows/issue-arborist.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/instructions-janitor.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/hourly-ci-cleaner.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/grumpy-reviewer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/gpclean.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/go-pattern-detector.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/go-logger.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/go-fan.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/glossary-maintainer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/github-remote-mcp-auth-test.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/github-mcp-tools-report.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/github-mcp-structural-analysis.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/functional-pragmatist.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/firewall-escape.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/example-workflow-analyzer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/duplicate-code-detector.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/draft-pr-cleanup.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/docs-noob-tester.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/discussion-task-miner.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/dictation-prompt.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/developer-docs-consolidator.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/dev.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/dev-hawk.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/dependabot-go-checker.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/dependabot-burner.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/delight.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/deep-report.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/dead-code-remover.lock.yml Ensures “Handle Agent Failure” runs with if: always() and wires activation token minting failure env var where present.
.github/workflows/daily-workflow-updater.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-testify-uber-super-expert.lock.yml Adds if: always() plus passes safe_outputs/conclusion/activation token minting failure flags and exposes safe_outputs output.
.github/workflows/daily-team-status.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-team-evolution-insights.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-syntax-error-quality.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-semgrep-scan.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-security-red-team.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-secrets-analysis.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-safe-outputs-conformance.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-safe-output-optimizer.lock.yml Ensures “Handle Agent Failure” runs with if: always() and wires activation token minting failure env var where present.
.github/workflows/daily-safe-output-integrator.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-repo-chronicle.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-rendering-scripts-verifier.lock.yml Ensures “Handle Agent Failure” runs with if: always() and wires activation token minting failure env var where present.
.github/workflows/daily-regulatory.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-performance-summary.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-observability-report.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-news.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-multi-device-docs-tester.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml Adds if: always() plus passes safe_outputs/conclusion token minting failure flags and exposes safe_outputs output.
.github/workflows/daily-malicious-code-scan.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-issues-report.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-function-namer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-firewall-report.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-file-diet.lock.yml Adds if: always() plus passes safe_outputs/conclusion/activation token minting failure flags and exposes safe_outputs output.
.github/workflows/daily-fact.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-doc-updater.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-doc-healer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-copilot-token-report.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-compiler-quality.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-code-metrics.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-cli-tools-tester.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-cli-performance.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-choice-test.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-assign-issue-to-user.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/daily-architecture-diagram.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/craft.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/copilot-session-insights.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/copilot-pr-prompt-analysis.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/copilot-pr-nlp-analysis.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/copilot-pr-merged-report.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/copilot-cli-deep-research.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/copilot-agent-analysis.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/contribution-check.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/constraint-solving-potd.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/commit-changes-analyzer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/code-simplifier.lock.yml Ensures “Handle Agent Failure” runs with if: always() and wires activation token minting failure env var where present.
.github/workflows/code-scanning-fixer.lock.yml Ensures “Handle Agent Failure” runs with if: always() and wires activation token minting failure env var where present.
.github/workflows/cloclo.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/cli-version-checker.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/cli-consistency-checker.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/claude-code-user-docs-review.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/ci-doctor.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/ci-coach.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/changeset.lock.yml Adds if: always() and exposes safe_outputs app_token_minting_failed output where present.
.github/workflows/breaking-change-checker.lock.yml Ensures “Handle Agent Failure” runs with if: always() and wires activation token minting failure env var where present.
.github/workflows/brave.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/bot-detection.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/blog-auditor.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/auto-triage-issues.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/audit-workflows.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/artifacts-summary.lock.yml Adds if: always() plus passes safe_outputs/conclusion token minting failure flags and exposes safe_outputs output.
.github/workflows/archie.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/ai-moderator.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/agent-persona-explorer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.
.github/workflows/agent-performance-analyzer.lock.yml Ensures “Handle Agent Failure” runs with if: always() in compiled workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

pkg/workflow/safe_outputs_steps.go
Comment on lines +136 to +140
// StepCondition is an optional `if:` expression for the step.
// When non-empty, `if: {StepCondition}` is inserted after the step ID so the
// step runs only when the condition is true. Use "always()" to run even after
// earlier steps in the same job have failed.
StepCondition string
actions/setup/md/agent_failure_comment.md
Comment on lines 1 to +3
Agent job [{run_id}]({run_url}) failed.

{secret_verification_context}{inference_access_error_context}{assignment_errors_context}{create_discussion_errors_context}{code_push_failure_context}{repo_memory_validation_context}{push_repo_memory_failure_context}{missing_data_context}{missing_safe_outputs_context}{timeout_context}{fork_context}
{secret_verification_context}{inference_access_error_context}{app_token_minting_failed_context}{assignment_errors_context}{create_discussion_errors_context}{code_push_failure_context}{repo_memory_validation_context}{push_repo_memory_failure_context}{missing_data_context}{missing_safe_outputs_context}{timeout_context}{fork_context}
This was referenced Mar 18, 2026
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan