Skip to content

refactor: extract daily audit discussion configuration into shared/daily-audit-discussion.md#24102

Merged
pelikhan merged 4 commits intomainfrom
copilot/refactor-shared-daily-audit-component
Apr 2, 2026
Merged

refactor: extract daily audit discussion configuration into shared/daily-audit-discussion.md#24102
pelikhan merged 4 commits intomainfrom
copilot/refactor-shared-daily-audit-component

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 2, 2026
edited
Loading

44 workflows each manually repeated 8–10 lines of identical create-discussion safe-outputs config, with no single source of truth for audit discussion hygiene settings (expiry, category, max, close-older).

Changes

New shared component: shared/daily-audit-discussion.md

Parametrized shared import with import-schema for title-prefix (required) and expires (optional, default 3d). Provides a standardized create-discussion safe-outputs block.

# Usage in any workflow:
imports:
  - uses: shared/daily-audit-discussion.md
    with:
      title-prefix: "[daily secrets] "
      expires: 3d   # optional, default: 3d

40 workflow migrations

Replaced inline create-discussion and close-discussion blocks with the import above. Three workflows from the issue list were intentionally skipped: issue-arborist.md and poem-bot.md (no safe-outputs), and deep-report.md (category: "reports" rather than "audits").

Workflows that needed upload-asset retain it in their own safe-outputs or receive it transitively via python-dataviz.md; the shared component deliberately omits upload-asset to avoid safe-outputs type conflicts when multiple imports provide it.

Bug fix: parseUploadAssetConfig

upload-asset: false was previously treated identically to upload-asset: null (both enabled the feature with defaults). Now false explicitly disables it.

Result

~350–400 lines removed across the codebase. All 179 workflows compile (0 errors).

@github-actions github-actions Bot mentioned this pull request Apr 2, 2026
Closed
Copilot AI linked an issue Apr 2, 2026 that may be closed by this pull request
[refactoring] Extract daily audit discussion configuration into shared component #24074
Closed
50 tasks
@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 2, 2026

Hey @Copilot 👋 — thanks for opening this refactoring PR to extract the daily audit discussion configuration into a shared component! Centralising repeated config across 41+ workflows is exactly the kind of housekeeping that keeps the codebase healthy. A few things to address before this is ready for review:

  • Add a narrative description — the PR body is currently a task checklist, which is great for tracking progress but doesn't explain the why. A short paragraph describing the motivation (e.g. duplication problem, expected benefits, any caveats with parseUploadAssetConfig) would help reviewers a lot.
  • Push initial code changes — the PR currently has 0 files changed and 0 lines in the diff. The checklist items are still open (only step 1 is checked). The substantive work — fixing parseUploadAssetConfig, creating shared/daily-audit-discussion.md, migrating the 41+ workflows, and recompiling — still needs to land.
  • Include tests — once the migration code is in place, make sure test files are updated or added. Per the project guidelines (scratchpad/testing.md), run make test to confirm coverage, and make agent-finish before marking the PR ready.

Generated by Contribution Check ·

@github-actions github-actions Bot mentioned this pull request Apr 2, 2026
Closed
@pelikhan
feat: extract daily audit discussion into shared/daily-audit-discussi…
10b49d3 
…on.md component

- Create shared/daily-audit-discussion.md with import-schema for title-prefix and expires
- Fix parseUploadAssetConfig to treat upload-asset: false as disabled
- Migrate 40 workflows to use the shared component
- Remove repetitive create-discussion/close-discussion blocks from each workflow

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e41372a2-fbe3-468e-b5a9-f52bb0cc4b40

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Refactor to extract daily audit discussion configuration refactor: extract daily audit discussion configuration into shared/daily-audit-discussion.md Apr 2, 2026
Copilot AI requested a review from pelikhan April 2, 2026 13:44
pelikhan
pelikhan reviewed Apr 2, 2026
View reviewed changes
Comment thread .github/workflows/shared/daily-audit-discussion.md Outdated
Comment on lines +29 to +30
close-discussion:
max: 10
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot not needed, remove this

Copy link
Copy Markdown
Contributor Author

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed in ba14333.

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 2, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from pelikhan April 2, 2026 13:56
@pelikhan pelikhan marked this pull request as ready for review April 2, 2026 13:56
Copilot AI review requested due to automatic review settings April 2, 2026 13:56
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 2, 2026

@copilot merge main and recompile

@pelikhan
Merge remote-tracking branch 'origin/main' into copilot/refactor-shar…
899162f 
…ed-daily-audit-component

# Conflicts:
#	.github/workflows/audit-workflows.lock.yml
#	.github/workflows/audit-workflows.md
#	.github/workflows/copilot-agent-analysis.lock.yml
#	.github/workflows/copilot-agent-analysis.md
#	.github/workflows/copilot-pr-nlp-analysis.lock.yml
#	.github/workflows/copilot-pr-nlp-analysis.md
#	.github/workflows/copilot-pr-prompt-analysis.lock.yml
#	.github/workflows/copilot-pr-prompt-analysis.md
#	.github/workflows/copilot-session-insights.lock.yml
#	.github/workflows/copilot-session-insights.md
#	.github/workflows/daily-copilot-token-report.lock.yml
#	.github/workflows/daily-copilot-token-report.md
#	.github/workflows/delight.lock.yml
#	.github/workflows/delight.md

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 2, 2026
edited
Loading

@copilot merge main and recompile

Done in 899162f. Merged main, resolved 7 .md conflicts by taking both shared/daily-audit-discussion.md and shared/repo-memory-standard.md imports, then recompiled all 179 workflows (0 errors).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build1368773828/b257/embedcfg -pack (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from pelikhan April 2, 2026 14:05
@pelikhan pelikhan merged commit d7ad98b into main Apr 2, 2026
@pelikhan pelikhan deleted the copilot/refactor-shared-daily-audit-component branch April 2, 2026 14:06
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR centralizes the repeated create-discussion safe-outputs configuration into a shared workflow import and migrates many workflows to use it, while also fixing upload-asset: false handling in the workflow compiler.

Changes:

  • Added a reusable shared component (shared/daily-audit-discussion.md) with an import-schema to standardize create-discussion safe-outputs configuration.
  • Migrated multiple workflows from inline create-discussion safe-outputs blocks to the shared import (and updated corresponding .lock.yml outputs).
  • Fixed parseUploadAssetConfig so upload-asset: false explicitly disables upload-asset instead of enabling defaults.

Reviewed changes

Copilot reviewed 82 out of 82 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
pkg/workflow/publish_assets.go Treats upload-asset: false as an explicit disable signal.
.github/workflows/shared/daily-audit-discussion.md Introduces shared, parameterized create-discussion safe-outputs config.
.github/workflows/weekly-issue-summary.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/weekly-issue-summary.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/typist.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/typist.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/terminal-stylist.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/terminal-stylist.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/sergo.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/schema-consistency-checker.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/safe-output-health.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/repository-quality-improver.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/repo-audit-analyzer.md Adds shared import while retaining workflow-specific safe-outputs config.
.github/workflows/repo-audit-analyzer.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/prompt-clustering-analysis.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/portfolio-analyst.md Adds shared import while retaining upload-asset safe-outputs config.
.github/workflows/portfolio-analyst.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/mcp-inspector.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/lockfile-stats.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/go-fan.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/github-remote-mcp-auth-test.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/github-remote-mcp-auth-test.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/github-mcp-tools-report.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/github-mcp-tools-report.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/github-mcp-structural-analysis.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/example-workflow-analyzer.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/example-workflow-analyzer.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/docs-noob-tester.md Adds shared import while retaining upload-asset safe-outputs config.
.github/workflows/docs-noob-tester.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/developer-docs-consolidator.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/developer-docs-consolidator.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/delight.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/delight.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/daily-team-evolution-insights.md Replaces inline discussion safe-outputs with shared import.
.github/workflows/daily-team-evolution-insights.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/daily-secrets-analysis.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/daily-secrets-analysis.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/daily-regulatory.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/daily-performance-summary.md Migrates to shared import, retaining upload-asset safe-outputs config.
.github/workflows/daily-performance-summary.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/daily-observability-report.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/daily-issues-report.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/daily-integrity-analysis.md Migrates to shared import, retaining upload-asset safe-outputs config.
.github/workflows/daily-firewall-report.md Migrates to shared import, retaining upload-asset safe-outputs config.
.github/workflows/daily-firewall-report.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/daily-copilot-token-report.md Migrates to shared import, retaining upload-asset safe-outputs config.
.github/workflows/daily-compiler-quality.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/daily-code-metrics.md Migrates to shared import, retaining upload-asset safe-outputs config.
.github/workflows/copilot-session-insights.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/copilot-pr-prompt-analysis.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/copilot-pr-nlp-analysis.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/copilot-pr-merged-report.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/copilot-agent-analysis.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/claude-code-user-docs-review.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/blog-auditor.md Migrates to shared import, removing inline discussion tool config.
.github/workflows/blog-auditor.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/audit-workflows.md Migrates to shared import, retaining upload-asset safe-outputs config.
.github/workflows/audit-workflows.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.
.github/workflows/agentic-observability-kit.md Migrates to shared import alongside existing escalation safe-outputs.
.github/workflows/agentic-observability-kit.lock.yml Regenerated lockfile reflecting shared import and other compiled-job graph changes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/workflow/publish_assets.go
Comment on lines +24 to +28
// Explicit false disables upload-asset (e.g. when passed via import-inputs)
if b, ok := configData.(bool); ok && !b {
publishAssetsLog.Print("upload-asset explicitly set to false, skipping")
return nil
}
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new upload-asset: false disablement path isn’t covered by the existing unit tests for parseUploadAssetConfig. Please add/extend a test case that passes {"upload-asset": false} and asserts the result is nil (and that true still enables defaults), to prevent regressions in this behavior change.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/weekly-issue-summary.lock.yml
Comment on lines 915 to 917
await main();

detection:
needs: agent
if: >
always() && needs.agent.result != 'skipped' && (needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true')
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
detection_success: ${{ steps.detection_conclusion.outputs.success }}
steps:
- name: Checkout actions folder
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: github/gh-aw
sparse-checkout: |
actions
persist-credentials: false
- name: Setup Scripts
uses: ./actions/setup
with:
destination: ${{ runner.temp }}/gh-aw/actions
- name: Download agent output artifact
id: download-agent-output
continue-on-error: true
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: agent
path: /tmp/gh-aw/
- name: Setup agent output environment variable
id: setup-agent-output-env
if: steps.download-agent-output.outcome == 'success'
run: |
mkdir -p /tmp/gh-aw/
find "/tmp/gh-aw/" -type f -print
echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
- name: Checkout repository for patch context
if: needs.agent.outputs.has_patch == 'true'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
# --- Threat Detection ---
- name: Download container images
run: bash ${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.25.10 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.10 ghcr.io/github/gh-aw-firewall/squid:0.25.10
- name: Check if detection needed
id: detection_guard
if: always()
env:
OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }}
HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
run: |
if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then
echo "run_detection=true" >> "$GITHUB_OUTPUT"
echo "Detection will run: output_types=$OUTPUT_TYPES, has_patch=$HAS_PATCH"
else
echo "run_detection=false" >> "$GITHUB_OUTPUT"
echo "Detection skipped: no agent outputs or patches to analyze"
fi
- name: Clear MCP configuration for detection
if: always() && steps.detection_guard.outputs.run_detection == 'true'
run: |
rm -f /tmp/gh-aw/mcp-config/mcp-servers.json
rm -f /home/runner/.copilot/mcp-config.json
rm -f "$GITHUB_WORKSPACE/.gemini/settings.json"
- name: Prepare threat detection files
if: always() && steps.detection_guard.outputs.run_detection == 'true'
run: |
mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true
cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true
for f in /tmp/gh-aw/aw-*.patch; do
[ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
done
for f in /tmp/gh-aw/aw-*.bundle; do
[ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
done
echo "Prepared threat detection files:"
ls -la /tmp/gh-aw/threat-detection/ 2>/dev/null || true
- name: Setup threat detection
if: always() && steps.detection_guard.outputs.run_detection == 'true'
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
WORKFLOW_NAME: "Weekly Issue Summary"
WORKFLOW_DESCRIPTION: "Creates weekly summary of issue activity including trends, charts, and insights every Monday"
HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
with:
script: |
const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
setupGlobals(core, github, context, exec, io);
const { main } = require('${{ runner.temp }}/gh-aw/actions/setup_threat_detection.cjs');
await main();
- name: Ensure threat-detection directory and log
if: always() && steps.detection_guard.outputs.run_detection == 'true'
run: |
mkdir -p /tmp/gh-aw/threat-detection
touch /tmp/gh-aw/threat-detection/detection.log
- name: Install GitHub Copilot CLI
run: ${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh latest
- name: Install AWF binary
run: bash ${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh v0.25.10
- name: Execute GitHub Copilot CLI
if: always() && steps.detection_guard.outputs.run_detection == 'true'
id: detection_agentic_execution
# Copilot CLI tool arguments (sorted):
timeout-minutes: 20
run: |
set -o pipefail
touch /tmp/gh-aw/agent-step-summary.md
# shellcheck disable=SC1003
sudo -E awf --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,github.com,host.docker.internal,telemetry.enterprise.githubcopilot.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --image-tag 0.25.10 --skip-pull --enable-api-proxy \
-- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
env:
COPILOT_AGENT_RUNNER_TYPE: STANDALONE
COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || '' }}
GH_AW_PHASE: detection
GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
GH_AW_VERSION: dev
GITHUB_API_URL: ${{ github.api_url }}
GITHUB_AW: true
GITHUB_HEAD_REF: ${{ github.head_ref }}
GITHUB_REF_NAME: ${{ github.ref_name }}
GITHUB_SERVER_URL: ${{ github.server_url }}
GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
GITHUB_WORKSPACE: ${{ github.workspace }}
GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
GIT_AUTHOR_NAME: github-actions[bot]
GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
GIT_COMMITTER_NAME: github-actions[bot]
XDG_CONFIG_HOME: /home/runner
- name: Upload threat detection log
if: always() && steps.detection_guard.outputs.run_detection == 'true'
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: detection
path: /tmp/gh-aw/threat-detection/detection.log
if-no-files-found: ignore
- name: Parse and conclude threat detection
id: detection_conclusion
if: always()
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
RUN_DETECTION: ${{ steps.detection_guard.outputs.run_detection }}
with:
script: |
const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
setupGlobals(core, github, context, exec, io);
const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_threat_detection_results.cjs');
await main();

safe_outputs:
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This regenerated lockfile removes the separate detection (and related downstream dependencies) and changes safe_outputs to no longer depend on detection (needs: agent only). That’s a significant behavioral/security/operational change beyond the PR description’s safe-outputs refactor; please confirm it’s intended and either document it in the PR description or split it into a dedicated change.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/daily-secrets-analysis.md
Comment on lines 19 to +22
imports:
- uses: shared/daily-audit-discussion.md
with:
title-prefix: "[daily secrets] "
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow’s instructions require close_discussion and state the discussion expires after 3 days, but after migrating to the shared import: (1) safe-outputs.close-discussion is no longer configured, and (2) with.expires is not provided, so the resolved config currently falls back to the tool default (seen as expires: 168 in the lockfile). Re-add safe-outputs.close-discussion and either pass expires: 3d here or ensure the shared import reliably applies its 3d default.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/daily-issues-report.md
Comment on lines 19 to +23
timeout-minutes: 30
imports:
- uses: shared/daily-audit-discussion.md
with:
title-prefix: "[daily issues] "
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow instructions require closing prior discussions via close_discussion, but the close-discussion safe-outputs config was removed during the migration to the shared discussion import. Also, with.expires is omitted here (previously 3d), so retention may change unless the shared import default is reliably applied. Please re-add safe-outputs.close-discussion and consider passing expires: 3d explicitly (or fix the shared default behavior).

Suggested change
timeout-minutes: 30
imports:
- uses: shared/daily-audit-discussion.md
with:
title-prefix: "[daily issues] "
timeout-minutes: 30
safe-outputs:
- close-discussion
imports:
- uses: shared/daily-audit-discussion.md
with:
title-prefix: "[daily issues] "
expires: 3d

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/daily-regulatory.md
Comment on lines 21 to 25
imports:
- uses: shared/daily-audit-discussion.md
with:
title-prefix: "[daily regulatory] "
- shared/github-queries-mcp-script.md
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow body instructs the agent to use close_discussion, but the close-discussion safe-outputs config was removed when migrating to the shared discussion import. Also, with.expires is omitted here (previously 3d), so retention may change unless the shared import default is reliably applied. Please re-add safe-outputs.close-discussion and consider passing expires: 3d explicitly (or fix the shared default behavior).

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/shared/daily-audit-discussion.md
Comment on lines +17 to +21
expires:
type: string
default: "3d"
description: "How long to keep discussions before expiry (e.g. 1d, 3d, 7d)"

Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The expires input is marked optional with default: "3d", but workflows that omit with.expires are still resolving to the tool default expiry (e.g. expires: 168 in .github/workflows/daily-secrets-analysis.lock.yml). This suggests import-schema.default isn’t being applied to github.aw.import-inputs.expires; consider using an explicit expression fallback (or make expires required) so the intended 3d default is reliably enforced.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

needs-work

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[refactoring] Extract daily audit discussion configuration into shared component

3 participants

@pelikhan