From 323eaf999b86203d10cb1b0615aeb5f29047d7a8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Mar 2026 18:29:46 +0000
Subject: [PATCH 1/2] Initial plan


From d28cb75ffe4c09e8a5ce3890f85e0f5e4b72454b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Mar 2026 18:50:52 +0000
Subject: [PATCH 2/2] fix: move Protected Files section before footer in
 fallback issues (#21824)

When a PR creation fails due to protected files (e.g. workflows permission),
the agent creates a fallback issue. Previously the issue body had:
1. Agent body (including footer with integrity note)
2. Protected Files warning section

This fix reorders to:
1. Agent-generated main body (without footer)
2. Protected Files warning section
3. Footer (guard notices, attribution, XML markers)

Changes:
- create_pull_request.cjs: snapshot mainBodyContent before footer, capture footerContent
- manifest_protection_push_failed_fallback.md: use {main_body}/{footer} instead of {body}
- manifest_protection_create_pr_fallback.md: same template change

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 actions/setup/js/create_pull_request.cjs      | 21 ++++++++++++++++---
 .../manifest_protection_create_pr_fallback.md |  3 ++-
 ...anifest_protection_push_failed_fallback.md |  4 +++-
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/actions/setup/js/create_pull_request.cjs b/actions/setup/js/create_pull_request.cjs
index 27399382ff4..0439529b3d2 100644
--- a/actions/setup/js/create_pull_request.cjs
+++ b/actions/setup/js/create_pull_request.cjs
@@ -586,8 +586,14 @@ async function main(config = {}) {
       bodyLines.push(trackerIDComment);
     }
 
+    // Snapshot the body content (without footer) for use in protected-files fallback ordering.
+    // The protected-files section must appear before the footer (including guard notices such as
+    // the integrity-filtering note) so that the footer always comes last in the issue body.
+    const mainBodyContent = bodyLines.join("\n").trim();
+
     // Generate footer using messages template system (respects custom messages.footer config)
     // When footer is disabled, only add XML markers (no visible footer content)
+    const footerParts = [];
     if (includeFooter) {
       const historyUrl = generateHistoryUrl({
         owner: repoParts.owner,
@@ -602,18 +608,25 @@ async function main(config = {}) {
         footer += "\n\n<!-- gh-aw-expires-type: pull-request -->";
       }
       bodyLines.push(``, ``, footer);
+      footerParts.push(footer);
     }
 
     // Add standalone workflow-id marker for searchability (consistent with comments)
     // Always add XML markers even when footer is disabled
     if (workflowId) {
-      bodyLines.push(``, generateWorkflowIdMarker(workflowId));
+      const workflowIdMarker = generateWorkflowIdMarker(workflowId);
+      // Add to bodyLines for the normal PR body path.
+      // Add to footerParts so the fallback issue body places it after the protected-files section.
+      bodyLines.push(``, workflowIdMarker);
+      footerParts.push(workflowIdMarker);
     }
 
     bodyLines.push("");
 
     // Prepare the body content
     const body = bodyLines.join("\n").trim();
+    // Footer section (footer + workflow-id marker) used when ordering protected-files notices
+    const footerContent = footerParts.join("\n\n");
 
     // Build labels array - merge config labels with message labels
     let labels = [...envLabels];
@@ -974,7 +987,8 @@ ${patchPreview}`;
         const pushFailedTemplatePath = `${process.env.RUNNER_TEMP}/gh-aw/prompts/manifest_protection_push_failed_fallback.md`;
         const pushFailedTemplate = fs.readFileSync(pushFailedTemplatePath, "utf8");
         fallbackBody = renderTemplate(pushFailedTemplate, {
-          body,
+          main_body: mainBodyContent,
+          footer: footerContent,
           files: filesFormatted,
           run_id: String(runId),
           branch_name: branchName,
@@ -992,7 +1006,8 @@ ${patchPreview}`;
         const templatePath = `${process.env.RUNNER_TEMP}/gh-aw/prompts/manifest_protection_create_pr_fallback.md`;
         const template = fs.readFileSync(templatePath, "utf8");
         fallbackBody = renderTemplate(template, {
-          body,
+          main_body: mainBodyContent,
+          footer: footerContent,
           files: filesFormatted,
           create_pr_url: createPrUrl,
         });
diff --git a/actions/setup/md/manifest_protection_create_pr_fallback.md b/actions/setup/md/manifest_protection_create_pr_fallback.md
index 8986d79150d..ee94f7deef1 100644
--- a/actions/setup/md/manifest_protection_create_pr_fallback.md
+++ b/actions/setup/md/manifest_protection_create_pr_fallback.md
@@ -1,4 +1,4 @@
-{body}
+{main_body}
 
 ---
 
@@ -13,3 +13,4 @@
 
 To route changes like this to a review issue instead of blocking, configure `protected-files: fallback-to-issue` in your workflow configuration.
 
+{footer}
diff --git a/actions/setup/md/manifest_protection_push_failed_fallback.md b/actions/setup/md/manifest_protection_push_failed_fallback.md
index b4df2520f1a..b90345a8910 100644
--- a/actions/setup/md/manifest_protection_push_failed_fallback.md
+++ b/actions/setup/md/manifest_protection_push_failed_fallback.md
@@ -1,4 +1,4 @@
-{body}
+{main_body}
 
 ---
 
@@ -25,3 +25,5 @@ git am --3way /tmp/agent-artifacts-{run_id}/{patch_file}
 git push origin {branch_name}
 gh pr create --title '{title}' --base {base_branch} --head {branch_name} --repo {repo}
 ```
+
+{footer}