Fix safe-outputs artifact 409 conflict by using a dedicated artifact name#21840
Fix safe-outputs artifact 409 conflict by using a dedicated artifact name#21840
Conversation
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…t name The safe_outputs job was uploading the safe-output-items.jsonl manifest to an artifact named "agent", which is the same name used by the main agent job. GitHub Actions v4 doesn't allow two jobs to upload to the same artifact name in a workflow run, causing a 409 Conflict error. Fix: use a dedicated "safe-output-items" artifact name for the manifest upload instead of "agent". Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
Smoke Test Results (Run §23311183829)
Overall:
Note 🔒 Integrity filtering filtered 2 itemsIntegrity filtering activated and filtered the following items during workflow execution.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Smoke test review of PR #21840. The fix correctly resolves the 409 artifact conflict by using a dedicated "safe-output-items" artifact name for the safe_outputs job. Constants are well-documented and all lock files updated consistently.
Note
🔒 Integrity filtering filtered 2 items
Integrity filtering activated and filtered the following items during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.
- pr:#21840 (
pull_request_read: Resource 'pr:#21840' has lower integrity than agent requires. Agent would need to drop integrity tags [unapproved:all approved:all] to trust this resource.) - pr:#21840 (
pull_request_read: Resource 'pr:#21840' has lower integrity than agent requires. Agent would need to drop integrity tags [approved:all unapproved:all] to trust this resource.)
📰 BREAKING: Report filed by Smoke Copilot
|
|
||
| // SafeOutputItemsArtifactName is the artifact name for the safe output items manifest. | ||
| // This artifact contains the JSONL manifest of all items created by safe output handlers | ||
| // and is uploaded by the safe_outputs job to avoid conflicting with the "agent" artifact |
There was a problem hiding this comment.
Good fix! Using a dedicated artifact name "safe-output-items" for safe output items avoids the 409 conflict with the "agent" artifact. The comment clearly explains the rationale too. 👍
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Smoke Test (Codex)PRs: #21836 Comment out unconfigured app credentials in activation-app.md and safe-output-app.md; #21838 Add --filtered-integrity flag to logs command Warning
|
|
💥 Smoke test §23311183889 complete — PARTIAL (16 ✅, 2
Note 🔒 Integrity filtering filtered 1 itemIntegrity filtering activated and filtered the following item during workflow execution.
|
The
safe_outputsjob uploadssafe-output-items.jsonlto an artifact named"agent"— the same name theagentjob already claimed. GitHub Actions v4 rejects duplicate artifact names within a run with a 409 Conflict, causingsafe_outputsto consistently fail.Changes
SafeOutputItemsArtifactName = "safe-output-items"inpkg/constants/constants.gobuildSafeOutputItemsManifestUploadStepnow uploads to"safe-output-items"(or"<prefix>safe-output-items"inworkflow_callcontext) instead of"agent"gh aw auditis unaffected —flattenSingleFileArtifactsalready promotes single-file artifacts to the output root, sosafe-output-items.jsonllands at the same expected path regardless of which artifact contains it. All 175 workflow lock files recompiled.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw COm2idZAocbElsb9-C(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw go ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel git /usr/bin/git c374ced2de93e36egit go util.test git(http block)https://api.github.com/orgs/test-owner/actions/secrets/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name an.lock.yml tcfg n-dir/git b136a0101c461533git GO111MODULE 64/bin/go git show�� p.lock.yml ache/go/1.25.0/xGO111MODULE it k.yml GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /tmp/gh-aw-test-runs/20260319-183840-30597/test-3867357381 rev-parse /usr/bin/git @{u} sh n-dir/git git rev-�� --show-toplevel git /usr/bin/git lic_1363014574/0git go it git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha sistency_GoAndJavaScript350455383/001/test-empty-frontmatter.md HEAD /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet le-workflow-analgit GO111MODULE cal/bin/git /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 8c5a609d:.github/workflows/mcp-inspector.lock.yml go x_amd64/link mary.lock.yml GO111MODULE 64/bin/go x_amd64/link show�� c374ced2de93e36e8c5a609d:.github/workflows/githu-errorsas go 64/pkg/tool/linux_amd64/link s.lock.yml GO111MODULE 8c5a609d us/3YdcVDbgE0y5Gdx8vjli/0T4iAjLvbmFIeJQ5VOoc(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git 8c5a609d:.githubgh go x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git 8c5a609d:.githubgit go 0/x64/bin/git git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git 3840-30597/test-git go .cfg git rev-�� --show-toplevel git 0/x64/bin/npm /v2.0.0 go ache/go/1.25.0/x--show-toplevel 0/x64/bin/npm(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --get remote.origin.url /usr/bin/git /workflows/githugit go 64/bin/git git bran�� --show-current git /usr/bin/git /workflows/gpclegit 14357/b434/imporrev-parse de/node/bin/git git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha user.email test@example.com /usr/lib/git-core/git /workflows/githugit go cal/bin/git /usr/lib/git-core/git main�� run --auto /usr/bin/git --detach node rgo/bin/git git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git util.test go ortcfg.link git rev-�� --show-toplevel Ik68it_nH2gSrVWrsb/WrsaZCqRpvSTiHMe1VZH/CV7k7xB_8PrFuEMPUBX- /usr/bin/git 012358461/.githugit go g_.a git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ttern-detector.lock.yml GOPROXY 0/x64/bin/git GOSUMDB GOWORK 64/bin/go git show�� -triage-agent.lock.yml ache/go/1.25.0/xGO111MODULE cal/bin/git k.yml GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -monster.lock.yml ache/go/1.25.0/xGO111MODULE nfig/composer/vendor/bin/git(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -monster.lock.yml ache/go/1.25.0/xGO111MODULE ache/go/1.25.0/x64/bin/git 14357/b390/_pkg_/opt/hostedtoolcache/CodeQL/2.24.3/x64/codeql/codeql GO111MODULE 64/bin/go git show�� /workflows/firewall-escape.lock.yml go ndor/bin/git er.lock.yml GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha add origin /usr/bin/git /workflows/githugit go bin/git git init�� 64/bin/go git /usr/bin/git /workflows/gpclegit 14357/b419/imporrev-parse ache/node/24.14.--show-toplevel git(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha user.name Test User /usr/bin/git /workflows/githugit go de/node/bin/git git chec�� master git /usr/bin/git /workflows/gpclegit 14357/b436/imporrev-parse bin/git git(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha g_.a --global $name) { hasDiscussionsEnabled } }(http block)https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 8070955/b421/_pkg_.a go 8070955/b421=> ht.lock.yml GO111MODULE t git show�� wlHC/eMdwFO3cBOLj36ZOwlHC go /opt/hostedtoolcache/CodeQL/2.24.3/x64/codeql/tools/linux64/java/bin/java ssion-task-minergit GO111MODULE nfig/composer/ve--show-toplevel /opt/hostedtoolcache/CodeQL/2.24.3/x64/codeql/to1(http block)https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha(http block)https://api.github.com/repos/github/gh-aw/usr/bin/gh gh api /repos/github/gh-aw --jq .visibility(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 250b4632708761bcc374ced2de93e36e8c5a609d:.github/workflows/issue-triage-agent.lock.yml go /opt/hostedtoolcache/go/1.25.0/x64/bin/git yml GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� ithub-script/git/ref/tags/v8 go /opt/hostedtoolcache/go/1.25.0/x64/bin/bash r.lock.yml GO111MODULE t bash(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha t0 go 0/x64/bin/node m0s GO111MODULE(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 go x_amd64/vet .yml GO111MODULE 64/bin/go x_amd64/vet show�� 8c5a609d:.github/workflows/issueremote.origin.url go cal/bin/git -analysis.lock.ygit GO111MODULE /db-actions /trap/actions(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 go cal/bin/git .yml GO111MODULE 64/bin/go git show�� 8c5a609d:.github/workflows/issueremote.origin.url go rgo/bin/git scan.lock.yml GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 go t .yml GO111MODULE 64/bin/go git show�� 8c5a609d:.github/workflows/issue-c=4 go nfig/composer/vendor/bin/git scan.lock.yml GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 go vascript/tools/e-nolocalimports .yml GO111MODULE 64/bin/go git show�� 8c5a609d:.github/workflows/issue-c=4 go x_amd64/link scan.lock.yml GO111MODULE 64/bin/go x_amd64/link(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 go x_amd64/compile .yml GO111MODULE 64/bin/go x_amd64/compile show�� 8c5a609d:.github/workflows/issuego1.25.0 go de/node/bin/git scan.lock.yml GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 go x_amd64/link k.yml GO111MODULE 64/bin/go x_amd64/link show�� 8c5a609d:.github/workflows/issuego1.25.0 go ache/go/1.25.0/x64/bin/git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 go x_amd64/vet .yml GO111MODULE 64/bin/go x_amd64/vet show�� 8c5a609d:.github/workflows/issue-monster.lock.yml go bin/git -analysis.lock.ygit GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --output /tmp/codeql-scratch-6948d8b57e9298e6/dbs/actions/results-actions.json --additional-packs /tmp/codeql-SZCIWS/pr-diff-range --extension-packs codeql-action/pr-diff-range qhvBYvKH7u1n show�� t-spec-maintainer.lock.yml go ndor/bin/git yml GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GO111MODULE 64/bin/go git show�� /workflows/githu-run=^Test node x86_64/git run lint:cjs 64/bin/go git(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GO111MODULE 64/bin/go git estl�� 8c5a609d:.github/workflows/instructions-janitor.lock.yml go bin/git ock.yml GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha 8c5a609d:.github/workflows/grump--repo go At,event,headBranch,headSha,displayTitle yml GO111MODULE 64/bin/go git show�� 8c5a609d:.github/workflows/layout-spec-maintainer.lock.yml go nfig/composer/vendor/bin/git eport.lock.yml GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha nspector.lock.yml go /home/REDACTED/.config/composer/vendor/bin/git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha nspector.lock.yml go de/node/bin/git(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha fest.lock.yml go ache/node/24.14.0/x64/bin/git l GO111MODULE 64/bin/go git show�� /workflows/gloss-errorsas npx /home/REDACTED/.lo-nilfunc er.lock.yml **/*.cjs 64/bin/go git(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha fest.lock.yml go /lib/jspawnhelper l GO111MODULE 64/bin/go /lib/jspawnhelpe-buildtags show�� /workflows/go-fa-errorsas node /home/REDACTED/.co-nilfunc er.lock.yml --check 64/bin/go git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha nspector.lock.yml go bin/git l GO111MODULE 64/bin/go git show�� /workflows/gloss-errorsas sh ache/node/24.14.-nilfunc er.lock.yml GOPROXY 64/bin/go git(http block)https://api.github.com/repos/githubnext/agentics/git/ref/tags//usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha 8c5a609d:.github/workflows/grumpy-reviewer.lock.yml go nfig/composer/vendor/bin/git yml GO111MODULE 64/bin/go git show�� y_only_defaults_repo575269695/001 go 64/bin/git eport.lock.yml GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion l GO111MODULE 64/bin/go git show�� 8c5a609d:.github/workflows/issue-triage-agent.lock.yml 5j/BHrfMlSlqE-FJqVM_i97/CM8m25TMCWfmvF_X7N6K rgo/bin/git cs-tester.lock.ygit GO111MODULE 27d1943ffa54c611--show-toplevel git(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo p/bin/git -json GO111MODULE 64/bin/go git show�� t-spec-maintainer.lock.yml go x86_64/git yml GO111MODULE 64/bin/go git(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/git -json GO111MODULE 64/bin/go git show�� t-spec-maintainer.lock.yml go de/node/bin/git yml GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build1888070955/b399/cli.test /tmp/go-build1888070955/b399/cli.test -test.testlogfile=/tmp/go-build1888070955/b399/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOSUMDB GOWORK 64/bin/go git show�� -monster.lock.yml ache/go/1.25.0/xGO111MODULE it(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name an.lock.yml tcfg t g/testutil/tempdgit GO111MODULE 64/bin/go git show�� p.lock.yml ache/go/1.25.0/xGO111MODULE nfig/composer/vendor/bin/git k.yml GO111MODULE 64/bin/go git(http block)If you need me to access, download, or install something from one of these locations, you can either:
🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.
✨ PR Review Safe Output Test - Run 23311183889
Note
🔒 Integrity filtering filtered 1 item
Integrity filtering activated and filtered the following item during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.
pull_request_read: Resource 'pr:Fix safe-outputs artifact 409 conflict by using a dedicated artifact name #21840' has lower integrity than agent requires. Agent would need to drop integrity tags [unapproved:all approved:all] to trust this resource.)