Skip to content

feat: integrity-aware cache-memory with git-backed integrity branching and policy-scoped keys#23425

Merged
pelikhan merged 6 commits intomainfrom
copilot/fix-cache-memory-integrity-issues
Mar 29, 2026
Merged

feat: integrity-aware cache-memory with git-backed integrity branching and policy-scoped keys#23425
pelikhan merged 6 commits intomainfrom
copilot/fix-cache-memory-integrity-issues

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 29, 2026
edited by github-actions bot
Loading

Cache-memory used a flat filesystem with no integrity provenance, allowing a none-integrity agent to poison the cache and have a merged-integrity run blindly restore that data — a Bell-LaPadula write-up violation.

Cache key format

New format includes integrity level and a compile-time policy hash:

# Before
memory-{workflowID}-{runID}

# After (with guard policy)
memory-unapproved-7e4d9f12-{workflowID}-{runID}

# After (no guard policy)
memory-none-nopolicy-{workflowID}-{runID}

The 8-character policy hash is SHA-256 over a canonical representation of all allow-only fields (blocked-users, min-integrity, repos, trusted-bots, trusted-users). Lists are sorted, lowercased, and deduplicated before hashing so field ordering is irrelevant. Changing any policy field forces a cache miss.

Git-backed integrity branching

The compiler now generates two shell steps around agent execution:

Pre-agent (setup_cache_memory_git.sh):

  1. On cache miss (no .git/): git init on merged branch, create all four integrity branches from the same baseline — automatic migration from legacy flat-file cache
  2. git checkout {integrity-level}
  3. Merge down from all higher-integrity branches (-X theirs — higher integrity always wins conflicts)

Post-agent (commit_cache_memory_git.sh, runs if: always()):

  1. git add -A && git commit -m "run-{run_id}" on the current integrity branch
  2. git gc --auto to control repo size

The agent sees plain files — completely unaware of git. The .git/ directory rides along in the actions/cache tarball.

Merge semantics

Run integrity Sees data from Cannot see
merged merged only approved, unapproved, none
approved approved + merged unapproved, none
unapproved unapproved + approved + merged none
none all levels

Files changed

  • pkg/workflow/cache_integrity.go — policy hash computation, canonical forms, key format helpers
  • pkg/workflow/cache.gocomputeIntegrityCacheKey(), git setup/commit step generators; update_cache_memory job uses same key logic
  • pkg/workflow/compiler_yaml_main_job.go — wire in post-agent git commit steps
  • actions/setup/sh/setup_cache_memory_git.sh — pre-agent git init + branch checkout + merge-down
  • actions/setup/sh/commit_cache_memory_git.sh — post-agent commit + gc
  • pkg/workflow/cache_integrity_test.go — 32 unit tests: hash determinism, field change detection, order independence, canonical forms, step generation
  • 178 lock files recompiled with new key format and git steps

Migration note: existing caches will get a cache miss on first run after upgrade — intentional, as legacy data has no integrity provenance.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw github.com/githu/tmp/go-build949755510/b252/vet.cfg -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw github.com/githu/tmp/go-build949755510/b254/vet.cfg -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw github.com/charm-unsafeptr=false -lang=go1.24 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /home/REDACTED/work/_temp/ghcca-node/node/bin/bash -json GO111MODULE x_amd64/vet bash --no�� --noprofile x_amd64/vet /home/REDACTED/.config/composer/vendor/bin/bash -json GO111MODULE 64/pkg/tool/linu--show-toplevel bash (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha GOMODCACHE 7918060/b422/impGOPROXY (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linu-f (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --noprofile 64/pkg/tool/linux_amd64/vet /usr/bin/git cfg GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git cfg GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/smoke-agent-public-none.md /usr/bin/git ithub/workflows GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/contribution-cherev-parse 0/x64/bin/node ithub/workflows GOPROXY /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha xterm-color x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git -json GO111MODULE x_amd64/vet git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linuconfig /usr/bin/git 755510/b183/vet.git GO111MODULE me: String!) { --show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git ithub/workflows GO111MODULE ache/uv/0.11.2/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/vet git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git -json GO111MODULE $name) { has--show-toplevel git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha xterm-color x_amd64/vet /usr/bin/docker -json GO111MODULE x_amd64/vet docker imag�� inspect mcp/markitdown /usr/bin/infocmp -json GO111MODULE $name) { has--show-toplevel infocmp (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/vet git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/docker remote.origin.urgit GO111MODULE x_amd64/vet docker (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha ithub/workflows go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /tmp�� ithub/workflows sh n-dir/bash l GOPROXY DiscussionsEnabl--show-toplevel bash (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linumcp/memory (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/infocmp remote.origin.urgit GO111MODULE x_amd64/vet infocmp -1 xterm-color x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha ithub/workflows go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -json GO111MODULE DiscussionsEnabl--show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /tmp�� ithub/workflows sh /usr/bin/git npx prettier --cgit GOPROXY 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha /tmp/go-build949755510/b216/vet.cfg go me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /tmp�� ithub/workflows sh er: String!, $name: String!) { repository(owner: $owner, name:-f npx prettier --cgit GOPROXY 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git cfg GO111MODULE r: $owner, name:--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git cfg GO111MODULE 64/pkg/tool/linux_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha ical-doc-writer.lock.yml git it --show-toplevel /opt/hostedtoolc-w /usr/bin/git git push�� grity_test.go origin 64/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha cfg GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linurev-parse env cfg GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-f GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha -json GO111MODULE $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE r: $owner, name:-f GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linurev-parse cfg -json GO111MODULE 0/x64/bin/bash GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linurev-parse (http block)

If you need me to access, download, or install something from one of these locations, you can either:

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

✨ PR Review Safe Output Test - Run 23707807704

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude ·

Copilot AI linked an issue Mar 29, 2026 that may be closed by this pull request
Integrity-aware cache-memory: git-backed integrity branching with policy-scoped keys #23370
Closed
Copilot AI and others added 2 commits March 29, 2026 11:06
@pelikhan
feat: integrity-aware cache-memory with git-backed integrity branching
76ffa3c 
- Add policy hash computation (SHA-256, 8 chars) over canonical allow-only policy
- Update cache key format to memory-{integrity}-{policyHash}-{workflowID}-{runID}
- Add pre-agent git setup step (setup_cache_memory_git.sh) for integrity branching
- Add post-agent git commit step (commit_cache_memory_git.sh) to persist history
- Recompile all 178 workflows with new key format and git steps
- Add comprehensive unit tests for policy hashing, canonical forms, and key generation

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/36ce3a25-c6d4-494b-a92d-2ee732d7b28a

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: address code review feedback - improve error handling and type s…
8fcae3f 
…afety

- Remove fmt.Sprintf fallback for unexpected types in canonicalReposScope (return empty string)
- Improve merge error handling in setup_cache_memory_git.sh (log non-trivial errors)
- Improve commit error handling in commit_cache_memory_git.sh (distinguish nothing-to-commit vs real errors)

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/36ce3a25-c6d4-494b-a92d-2ee732d7b28a

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix integrity awareness in cache-memory to prevent poisoning feat: integrity-aware cache-memory with git-backed integrity branching and policy-scoped keys Mar 29, 2026
Copilot AI requested a review from pelikhan March 29, 2026 11:12
@pelikhan pelikhan marked this pull request as ready for review March 29, 2026 11:15
Copilot AI review requested due to automatic review settings March 29, 2026 11:15
@pelikhan pelikhan added the smoke label Mar 29, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 29, 2026
edited
Loading

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 29, 2026

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 29, 2026
edited
Loading

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 29, 2026
edited
Loading

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

@github-actions github-actions bot removed the smoke label Mar 29, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 29, 2026

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.53.0
jq 1.7
yq 4.52.4
curl 8.5.0
gh 2.88.1
node 20.20.1
python3 3.12.3
go 1.24.13
java 10.0.201
dotnet 10.0.201

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test ·

Copilot AI reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes cache-memory integrity-aware by scoping cache keys to guard-policy + integrity level and by storing cache-memory contents in a git repo with integrity branches to prevent lower-integrity runs from influencing higher-integrity runs.

Changes:

  • Add integrity/policy-scoped cache key helpers (policy hash + integrity prefix) and unit tests.
  • Add git-backed cache-memory branching: pre-agent setup (init/checkout/merge-down) and post-agent commit/gc steps.
  • Recompile workflow lock files to use the new key format and insert the git setup/commit steps.

Reviewed changes

Copilot reviewed 82 out of 82 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
pkg/workflow/compiler_yaml_main_job.go Wires post-agent cache-memory git commit steps into the main job step sequence.
pkg/workflow/cache_integrity.go Adds policy hashing, canonicalization, integrity ordering, and integrity-aware key helpers.
pkg/workflow/cache_integrity_test.go Adds unit tests for policy hashing, canonicalization, key generation, and git step emission.
pkg/workflow/cache.go Switches cache-memory key generation to integrity-aware keys; emits git setup/commit steps; reuses key logic in update job.
actions/setup/sh/setup_cache_memory_git.sh Adds pre-agent git init/branch checkout/merge-down logic inside cache-memory directory.
actions/setup/sh/commit_cache_memory_git.sh Adds post-agent “git add/commit + gc” for cache-memory state capture.
.github/workflows/weekly-issue-summary.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/unbloat-docs.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/test-create-pr-error-handling.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/technical-doc-writer.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/super-linter.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/step-name-alignment.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/static-analysis-report.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/stale-repo-identifier.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/smoke-update-cross-repo-pr.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/smoke-gemini.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/smoke-copilot.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/smoke-copilot-arm.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/smoke-codex.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/smoke-claude.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/slide-deck-maintainer.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/sergo.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/security-review.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/scout.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/schema-consistency-checker.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/safe-output-health.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/repository-quality-improver.lock.yml Inserts cache-memory git setup/commit steps for a non-default cache-memory path.
.github/workflows/repo-audit-analyzer.lock.yml Inserts cache-memory git setup/commit steps for a non-default cache-memory path.
.github/workflows/q.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/python-data-charts.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/prompt-clustering-analysis.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/pr-nitpick-reviewer.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/portfolio-analyst.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/poem-bot.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/pdf-summary.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/org-health-report.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/mcp-inspector.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/lockfile-stats.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/jsweep.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/instructions-janitor.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/grumpy-reviewer.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/gpclean.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/go-logger.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/go-fan.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/glossary-maintainer.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/github-mcp-tools-report.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/github-mcp-structural-analysis.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/firewall-escape.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/developer-docs-consolidator.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/deep-report.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/dead-code-remover.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-safe-output-optimizer.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-repo-chronicle.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-rendering-scripts-verifier.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-performance-summary.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/daily-news.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-issues-report.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-integrity-analysis.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-function-namer.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-firewall-report.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/daily-doc-updater.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-doc-healer.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-copilot-token-report.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-compiler-quality.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-code-metrics.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/daily-architecture-diagram.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/copilot-session-insights.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/copilot-pr-prompt-analysis.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/copilot-pr-nlp-analysis.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/copilot-pr-merged-report.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/copilot-agent-analysis.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/constraint-solving-potd.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/code-scanning-fixer.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/cloclo.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/cli-version-checker.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/claude-code-user-docs-review.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/ci-doctor.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/ci-coach.lock.yml Updates cache-memory key format and inserts git setup/commit steps.
.github/workflows/audit-workflows.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/ai-moderator.lock.yml Inserts cache-memory git setup/commit steps.
.github/workflows/agent-persona-explorer.lock.yml Updates cache-memory key format and inserts git setup/commit steps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/workflow/cache.go Outdated
Comment on lines +61 to +68
// If a custom key was explicitly set, respect it but ensure run_id suffix
if cache.Key != "" && cache.Key != generateDefaultCacheKey(cache.ID) {
runIdSuffix := "-${{ github.run_id }}"
if !strings.HasSuffix(cache.Key, runIdSuffix) {
return cache.Key + runIdSuffix
}
return cache.Key
}
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

computeIntegrityCacheKey returns custom cache.Key values without adding the integrity level + policy hash prefix. This means a workflow that sets an explicit key can still share cache-memory across different integrity levels / guard policies, reintroducing the cross-integrity cache poisoning risk this PR is trying to eliminate. Consider applying the integrity/policy prefix even to custom keys (e.g., as a namespaced prefix) or requiring an explicit opt-out flag to allow unsafe shared keys.

Copilot uses AI. Check for mistakes.
Comment thread pkg/workflow/cache.go
Comment on lines +496 to +515
// Add git setup step after cache restore.
// This initialises (or migrates) the git repository used for integrity branching,
// checks out the current integrity branch, and merges down from higher-integrity branches.
generateCacheMemoryGitSetupStep(builder, cache, cacheDir, integrityLevel, useBackwardCompatiblePaths)
}
}

// generateCacheMemoryGitSetupStep emits a pre-agent step that sets up the git-backed integrity
// repository inside the given cache directory. It must run after the cache is restored so that
// any previous git history is available for the merge-down step.
func generateCacheMemoryGitSetupStep(builder *strings.Builder, cache CacheMemoryEntry, cacheDir, integrityLevel string, useBackwardCompatiblePaths bool) {
if useBackwardCompatiblePaths {
builder.WriteString(" - name: Set up cache-memory git repository\n")
} else {
fmt.Fprintf(builder, " - name: Set up cache-memory git repository (%s)\n", cache.ID)
}
builder.WriteString(" env:\n")
fmt.Fprintf(builder, " GH_AW_CACHE_DIR: %s\n", cacheDir)
fmt.Fprintf(builder, " GH_AW_MIN_INTEGRITY: %s\n", integrityLevel)
builder.WriteString(" run: bash ${RUNNER_TEMP}/gh-aw/actions/setup_cache_memory_git.sh\n")
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The git setup step creates a .git/ directory inside the cache-memory path, but the existing cache-memory file-type validation (validate_memory_files.cjs) recursively scans all files and will flag .git/* entries as invalid extensions. This will cause workflows with non-empty allowed-extensions (including the default) to fail after this change. Update the validator to skip .git/ (and ideally other git metadata like .git/**) or adjust the validation step to ignore git internals for cache-memory paths.

Copilot uses AI. Check for mistakes.
Comment thread actions/setup/sh/setup_cache_memory_git.sh
Comment on lines +58 to +66
if git merge "$level" -X theirs --no-edit -m "merge-from-$level" -q 2>/tmp/gh-aw-merge-err; then
echo "Merged integrity branch '$level' into '$INTEGRITY'"
else
# Ignore "already up-to-date" and "nothing to merge" — log anything else
if ! grep -qiE "already up.to.date|nothing to merge" /tmp/gh-aw-merge-err 2>/dev/null; then
echo "Warning: merge from '$level' into '$INTEGRITY' encountered an issue:" >&2
cat /tmp/gh-aw-merge-err >&2
fi
fi
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If git merge fails (e.g., modify/delete or other conflicts not resolved by -X theirs), the repo can be left in a conflicted merge state (MERGE_HEAD/unmerged index). The script currently just logs and continues, which can break the agent run and/or the post-agent commit step. Consider failing fast (or git merge --abort + deterministic fallback like hard-resetting to the higher-integrity branch’s tree) so the working tree is always left in a clean, usable state.

Copilot uses AI. Check for mistakes.
Comment thread pkg/workflow/cache_integrity.go Outdated
Comment on lines +44 to +47
// blocked-users: sorted, lowercased, deduplicated
sb.WriteString("blocked-users:")
sb.WriteString(canonicalUserList(github.BlockedUsers))
sb.WriteString("\n")
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

buildCanonicalPolicy only hashes github.BlockedUsers, but tools.github.blocked-users can be provided as a GitHub Actions expression (stored in GitHubToolConfig.BlockedUsersExpr). In that case the canonical form becomes identical to an empty list, so changing the blocked-users expression (or switching between literal vs expression) will not change the policy hash and can unintentionally reuse the same cache across different guard policies. Include BlockedUsersExpr (when set) in the canonical policy representation (or explicitly treat expression-based policies as unhashable and force a sentinel/unique hash).

Copilot uses AI. Check for mistakes.
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Mar 29, 2026

@copilot review comments

@github-actions github-actions bot mentioned this pull request Mar 29, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 29, 2026

Smoke test results for §23707807705 — PR by @Copilot, assignees: @pelikhan @Copilot

Test Result
GitHub MCP
MCP Scripts GH CLI
Serena MCP
Playwright
Web Fetch
File Writing
Bash Tool
Discussion Interaction
Build gh-aw
Discussion Creation
Workflow Dispatch
PR Review

Overall: ⚠️ PARTIAL PASS (11/12)

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

📰 BREAKING: Report filed by Smoke Copilot ·

github-actions[bot]
github-actions bot reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke test code review: Two minor suggestions on cache_integrity.go — parameter naming and typed constants for integrity levels. Overall the integrity-aware cache design is solid.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

  • #23425 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

📰 BREAKING: Report filed by Smoke Copilot

Comment thread pkg/workflow/cache_integrity.go
canonical := buildCanonicalPolicy(github)
hash := sha256.Sum256([]byte(canonical))
return hex.EncodeToString(hash[:])[:8]
}
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The computePolicyHash function uses github as a parameter name which shadows the package name github if it were imported. Consider renaming to cfg or githubCfg for clarity.

Comment thread pkg/workflow/cache_integrity.go

// integrityLevelOrder defines integrity levels from highest to lowest.
// Used to determine which branches to merge down from when setting up cache.
var integrityLevelOrder = []string{"merged", "approved", "unapproved", "none"}
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider using typed constants (e.g. IntegrityLevel type) for the integrity levels in integrityLevelOrder instead of raw strings to catch typos at compile time.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 29, 2026

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions github-actions bot mentioned this pull request Mar 29, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 29, 2026

Smoke Test Results — Run §23707807704

Overall: PARTIAL (all non-skipped passed)

Test Result
1. GitHub MCP (last 2 merged PRs)
2. GH CLI (2 PRs)
3. Serena MCP (symbols found)
4. Make build
5. Playwright (GitHub title)
6. Tavily search
7. File writing
8. Bash verify
9. Discussion comment
10. Agentic Workflows MCP
11. Slack safe output
12. Update PR
13. Review comments
14. Submit review
15. Resolve thread ⚠️ Skipped (integrity filter)
16. Add reviewer
17. Push to branch
18. Close PR ⚠️ Skipped (no test PR)

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude ·

github-actions[bot]
github-actions bot reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

  • #23425 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

💥 [THE END] — Illustrated by Smoke Claude

Comment thread pkg/workflow/cache_integrity.go
if github == nil || github.MinIntegrity == "" {
return noPolicySentinel
}

Copy link
Copy Markdown
Contributor

@github-actions github-actions bot Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The computePolicyHash function correctly handles the nil/empty MinIntegrity case by returning noPolicySentinel. Consider documenting the return type semantics (8-char hex vs sentinel string) in the godoc for callers building cache keys.

Comment thread pkg/workflow/cache_integrity.go

// integrityLevelOrder defines integrity levels from highest to lowest.
// Used to determine which branches to merge down from when setting up cache.
var integrityLevelOrder = []string{"merged", "approved", "unapproved", "none"}
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integrityLevelOrder slice defines a clear precedence order for integrity levels — the comment explains the purpose well. Consider adding a godoc comment noting that this slice is ordered from highest to lowest integrity, since callers may iterate it expecting that ordering.

@pelikhan pelikhan mentioned this pull request Mar 29, 2026
Closed
@pelikhan
fix: address all 4 code review issues
2d35e94 
- Custom keys now always get integrity/policy prefix to prevent cross-level cache sharing
- validate_memory_files.cjs now skips .git/ directory to avoid false validation failures
- setup_cache_memory_git.sh now fails fast on unresolvable merge conflicts (with abort/reset)
- buildCanonicalPolicy now includes BlockedUsersExpr in hash to detect expression-based policies
- Update tests and recompile 178 lock files

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b02fc0a5-a9e2-45c3-9875-0c095d22521e

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Mar 29, 2026
edited
Loading

@copilot review comments

Addressed all 4 reviewer issues in commit 2d35e94:

  1. Custom keys now get integrity/policy prefixcomputeIntegrityCacheKey always prepends memory-{level}-{hash}- even for custom keys, preventing cross-integrity cache sharing.

  2. .git/ skipped by validatorvalidate_memory_files.cjs now skips the .git/ directory during recursive scans, so git metadata won't trigger false extension-validation failures.

  3. Merge conflict fails fastsetup_cache_memory_git.sh now runs git merge --abort + git reset --hard HEAD on failure to restore a clean working tree, then exits with the original error code for non-trivial failures (only ignores "already up-to-date").

  4. BlockedUsersExpr in policy hashbuildCanonicalPolicy now includes BlockedUsersExpr verbatim (with an expr: prefix) so that switching between literal and expression-based blocked-users, or changing the expression, produces a different policy hash.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw go 196a64d42e7ad296--show-toplevel git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/gh git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha 64/bin/go git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel sh /usr/bin/git node js/f�� 64/bin/go git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel node /usr/bin/git node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /usr/bin/git git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git node js/f�� 0/x64/bin/node git /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile --show-toplevel git /usr/bin/git /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha prettier --write 64/bin/go !../../../pkg/wogit --ignore-path ../../../.pretti--show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linuGOPROXY -V=f�� (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git cjs --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git 64/pkg/tool/linux_amd64/compile --show-toplevel git /usr/bin/git 64/pkg/tool/linux_amd64/compile rev-�� --show-toplevel git ache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha .js&#39; --ignore-paGOINSECURE security 0/x64/bin/node -nxv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE /usr/bin/git GOINSECURE GOMOD GOMODCACHE git rev-�� --show-toplevel GOPROXY /usr/bin/git GOSUMDB GOWORK ache/go/1.25.0/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel erignore /usr/bin/git -bool -buildtags 64/bin/go git rev-�� --show-toplevel sh 0/x64/bin/node te &#39;../../../**/git -tests 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel /opt/hostedtoolcGOPROXY /usr/bin/git te &#39;**/*.cjs&#39; &#39;*git /tmp/go-build150rev-parse 64/bin/go git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/xGO111MODULE /usr/bin/git te &#39;scripts/**/*git -buildtags 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel node /usr/bin/git node (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel erignore /usr/bin/git te &#39;**/*.cjs&#39; &#39;*git /tmp/go-build150rev-parse 64/bin/go git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/xGO111MODULE /usr/bin/git te &#39;scripts/**/*git -buildtags 64/bin/go git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel node /usr/bin/git node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git node js/f�� /usr/bin/git git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel git /usr/bin/git node (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel node /usr/bin/git node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha m0s git cheMemoryImportOnly --show-toplevel git /usr/bin/git node js/f�� /usr/lib/git-cor--show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel git-upload-pack /usr/bin/git node (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha &#34;prettier&#34; --write &#39;**/*.cjs&#39; &#39;**/*.ts&#39; &#39;**/*.jsGOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel go 0/x64/bin/node -json GO111MODULE /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel GOPROXY /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel gh 0/x64/bin/node /repos/github/ghgit --jq /usr/bin/git git arne�� --show-toplevel git /usr/bin/git --show-toplevel n-continued&#34; /usr/bin/git git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git ache/node/24.14.0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/infocmp --show-toplevel git /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel node /usr/bin/git /usr/bin/sed git /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel node r: $owner, name: $name) { hasDiscussionsEnabled } } /usr/bin/git git /opt/hostedtoolcinspect sed (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha --show-toplevel NGsdB90d4zjlhcGbIN/QCNj83xPb50HoDfOYMMT/NTVMRdD6-tests /usr/bin/git --show-toplevel git ccf4918111c794e1f4d1e09fa17db259--show-toplevel git rev-�� --show-toplevel git /usr/bin/infocmp --show-toplevel git ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows infocmp (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel erignore /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel sh 86_64/node node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel git r: $owner, name:--show-toplevel node js/f�� /usr/bin/grep git /opt/hostedtoolcache/node/24.14.0/x64/bin/node --show-toplevel grep /usr/bin/git node (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha &#34;prettier&#34; --write &#39;**/*.cjs&#39; &#39;**/*.ts&#39; &#39;**/*.jsGOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel go 0/x64/bin/node -json GO111MODULE /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel GOPROXY /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel git /usr/bin/git git js --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha &#34;prettier&#34; --write &#39;**/*.cjs&#39; &#39;**/*.ts&#39; &#39;**/*.jsGOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel go 0/x64/bin/node -json GO111MODULE /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel GOPROXY /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel git /usr/bin/git git js --show-toplevel git 64/pkg/tool/linux_amd64/asm --show-toplevel git /usr/bin/git 64/pkg/tool/linux_amd64/asm (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel GOPROXY /usr/bin/git GOSUMDB GOWORK tions/setup/js/n--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/xGO111MODULE /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git 88bbb214..HEAD sh /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha GOSUMDB GOWORK 86_64/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel sh /usr/bin/git &#34;prettier&#34; --wrinode (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git ache/node/24.14.--noprofile git (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel git $name) { hasDiscussionsEnabled } } --show-toplevel git ache/node/24.14.xterm-color git runs�� --show-toplevel git /opt/hostedtoolcache/go/1.25.0/x64/bin/node --show-toplevel git /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows node (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha GOSUMDB GOWORK ache/go/1.25.0/xGOMODCACHE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel sh /usr/bin/git &#34;prettier&#34; --wrinode (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git ache/node/24.14.0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git ache/node/24.14.--noprofile git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Mar 29, 2026

@copilot fix https://github.com/github/gh-aw/actions/runs/23708065459/job/69063335491

@pelikhan
fix: update integration tests for integrity-aware cache key format
798f8c0 
Integration tests were asserting against old-style keys that predate the
integrity/policy prefix. Update 4 test files to expect the new format:
- memory-none-nopolicy-{workflowID}-{runID} for default caches
- memory-none-nopolicy-{customKey} for explicit custom keys
- Updated restore key assertions to match new prefix

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/605d9405-353e-4355-ab6d-6212b1fab26a

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Mar 29, 2026
edited
Loading

@copilot fix https://github.com/github/gh-aw/actions/runs/23708065459/job/69063335491

Fixed in commit 798f8c0. The integration tests were asserting against old-style cache keys that predated the integrity/policy prefix introduced in the previous commit. Updated 4 test files (cache_memory_integration_test.go, cache_memory_restore_keys_test.go, cache_memory_restore_only_test.go, cache_memory_threat_detection_test.go) to expect the new memory-none-nopolicy-… format.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha se 8222294/b263/vet.cfg 8222294/b001/workflow.test (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --noprofile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linu-pack /usr/bin/git get --local (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -bool -buildtags /opt/pipx_bin/bash -errorsas -ifaceassert -nilfunc bash stor�� --noprofile -tests 5501774/b123/vet.cfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -bool -buildtags /home/REDACTED/work/_temp/uv-python-dir/bash -errorsas -ifaceassert -nilfunc bash --no�� --noprofile -tests /opt/pipx_bin/bash (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linu-pack /usr/bin/git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -bool -buildtags (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha n-sa1 &gt; /dev/null &amp;&amp; debian-sa1 1 1 -buildtags /usr/local/bin/bash -errorsas -ifaceassert -nilfunc bash --no�� --noprofile -tests /home/REDACTED/work/_temp/ghcca-node/node/bin/bash (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -bool -buildtags /home/REDACTED/.local/bin/bash -errorsas -ifaceassert -nilfunc bash --no�� --noprofile -tests /home/REDACTED/.config/composer/vendor/bin/bash (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha m0s -buildtags cheMemoryRestoreKeysNoGenericFallback/multiple_cache -errorsas -ifaceassert -nilfunc bash --no�� --noprofile -tests /opt/hostedtoolcache/go/1.25.0/x64/bin/bash FAIL|PASS) (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha 5501774/b001/workflow.test -buildtags 5501774/b001/importcfg.link -errorsas -ifaceassert -nilfunc 4PBFflYoy_61O/padH8PdiAiw_hoaAheLu/In2H62rQQp-0rHg9F5Qn/qNP8Him4-extld=gcc --no�� ry=1 -tests che/go-build/5c/5c2961e28580e13b4ff25db00d20f7eb348de05a750e987030d9a3d3562976b3-d (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha se 8222294/b085/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha -bool -buildtags /usr/bin/bash -errorsas -ifaceassert -nilfunc bash --no�� --noprofile -tests /opt/pipx_bin/bash (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 8222294/b368/_pkg_.a user.name .cfg (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --local user.name .cfg (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha gs = data.get(&#39;logs_content&#39;, &#39;&#39;-errorsas (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Mar 29, 2026

@copilot Lint go

Copilot AI mentioned this pull request Mar 29, 2026
Merged
@pelikhan
fix: exclude node_modules from golangci-lint scan
e02ddb7 
golangci-lint was scanning Go files inside actions/setup/js/node_modules/
(specifically flatted/golang/pkg/flatted/flatted.go), a transitive npm
dependency. Fix by restricting golangci-lint to ./cmd/... ./pkg/... in
both the golint and golint-incremental Makefile targets.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/70186341-0125-41c9-a465-6020dac7dd28

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Mar 29, 2026

@copilot Lint go

Fixed in commit e02ddb7. golangci-lint was scanning actions/setup/js/node_modules/flatted/golang/pkg/flatted/flatted.go (a transitive npm dependency's Go file), causing 4 false-positive intrange/modernize lint failures. Scoped both golint and golint-incremental Makefile targets to ./cmd/... ./pkg/... so only project source is linted.

@pelikhan pelikhan merged commit 337d277 into main Mar 29, 2026
@pelikhan pelikhan deleted the copilot/fix-cache-memory-integrity-issues branch March 29, 2026 12:08
Copilot stopped work on behalf of pelikhan due to an error March 29, 2026 12:09
The session was cancelled by the user.
@github-actions github-actions bot mentioned this pull request Mar 29, 2026
Closed
@lpcox lpcox mentioned this pull request Mar 29, 2026
Closed
Copilot AI mentioned this pull request Mar 29, 2026
Merged
@lpcox
Copy link
Copy Markdown
Collaborator

lpcox commented Mar 29, 2026

Integrity Filter Investigation

The automated review on this PR flagged:

🔒 Integrity filter blocked 1 item — #23425 pull_request_read: has lower integrity than agent requires

We investigated and found two issues:

1. Triggering PR blocked by auto-applied min-integrity

Public repos auto-default to min-integrity: approved when not explicitly configured. Since this PR had no approving reviews at the time the Smoke Claude workflow ran, it was labeled unapproved — and blocked. This is a chicken-and-egg problem: the review bot cannot read the PR it was triggered to review.

2. copilot-swe-agent missing from trusted bot list

The PR author is app/copilot-swe-agent. The guard's trusted first-party bot list elevates copilot, dependabot[bot], github-actions[bot], and github-merge-queue[bot] to writer/approved integrity — but copilot-swe-agent is not in that list. Adding it would have prevented this block even without a triggering-PR exemption.

Tracking

github-actions bot added a commit that referenced this pull request Mar 29, 2026
@github-actions @claude
docs: update for difc-proxy flag, cache integrity, and removed fields
260086e 
- Add `features.difc-proxy` feature flag docs in frontmatter reference
- Update cache-memory reference with integrity-aware caching and git-backed
  integrity branching merge semantics (from PR #23425)
- Remove `error_patterns` engine field from frontmatter-full.md (removed from
  schema in PR #23423)
- Remove `cleanup-script` from network.firewall in autocomplete-data.json
  (removed from schema in PR #23423)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions github-actions bot mentioned this pull request Mar 29, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

smoke-claude

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Integrity-aware cache-memory: git-backed integrity branching with policy-scoped keys

4 participants

@pelikhan @lpcox