github · pelikhan · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml
diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml
diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml
diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml
diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml
diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml
diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml
diff --git a/.github/workflows/copilot-token-audit.lock.yml b/.github/workflows/copilot-token-audit.lock.yml
diff --git a/.github/workflows/copilot-token-optimizer.lock.yml b/.github/workflows/copilot-token-optimizer.lock.yml
diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml
diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml
diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml
diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml
diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml
diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml
diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml
diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml
diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml
diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml
diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml
diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml
diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml
diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml
diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml
diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml
diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml
diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go
@@ -736,21 +736,29 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna
 		steps = append(steps, c.generateRestoreActionsSetupStep())
 	}
 
-	// Job condition: only run if the agent job succeeded (do not push repo memory when agent
-	// failed or was skipped). Using always() so the job still runs even when upstream jobs
-	// are skipped (e.g. detection is skipped when agent produces no outputs).
-	agentSucceeded := BuildEquals(
+	// Job condition: only run when the agent actually executed (not skipped) and
+	// the workflow was not cancelled. Using always() so the job still runs even
+	// when upstream jobs are skipped (e.g. detection is skipped when agent produces
+	// no outputs). We check != 'skipped' rather than == 'success' so that
+	// repo-memory is pushed even when the agent fails — partial memory data is
+	// still valuable. Adding !cancelled() prevents the job from running after
+	// workflow cancellation (similar to compiler_safe_outputs_job.go).
+	// Crucially, the != 'skipped' check prevents the job from running on no-op
+	// workflow invocations (e.g. bot comments) where pre_activation is skipped
+	// and the skip cascades through activation → agent → detection.
+	agentNotSkipped := BuildNotEquals(
 		BuildPropertyAccess(fmt.Sprintf("needs.%s.result", constants.AgentJobName)),
-		BuildStringLiteral("success"),
+		BuildStringLiteral("skipped"),
 	)
+	notCancelled := &NotNode{Child: BuildFunctionCall("cancelled")}
 	jobNeeds := []string{string(constants.AgentJobName), string(constants.ActivationJobName)}
 	var jobCondition string
 	if threatDetectionEnabled {
 		// When threat detection is enabled, also require detection passed (succeeded or skipped).
-		jobCondition = RenderCondition(BuildAnd(BuildAnd(BuildFunctionCall("always"), buildDetectionPassedCondition()), agentSucceeded))
+		jobCondition = RenderCondition(BuildAnd(BuildAnd(BuildAnd(BuildFunctionCall("always"), notCancelled), buildDetectionPassedCondition()), agentNotSkipped))
 		jobNeeds = append(jobNeeds, string(constants.DetectionJobName))
 	} else {
-		jobCondition = RenderCondition(BuildAnd(BuildFunctionCall("always"), agentSucceeded))
+		jobCondition = RenderCondition(BuildAnd(BuildAnd(BuildFunctionCall("always"), notCancelled), agentNotSkipped))
 	}
 
 	// Build outputs map for validation failures from all memory steps

diff --git a/pkg/workflow/repo_memory_test.go b/pkg/workflow/repo_memory_test.go
@@ -1281,3 +1281,48 @@ func TestPushRepoMemoryJobConcurrencyKey(t *testing.T) {
 	assert.NotContains(t, pushJob.Concurrency, "push-repo-memory-${{ github.repository }}\"",
 		"Concurrency key should not be the old repo-wide-only key format")
 }
+
+// TestPushRepoMemoryJobConditionGatesOnAgentNotSkipped verifies that the push_repo_memory
+// job condition uses needs.agent.result != 'skipped' and !cancelled() so the job does not
+// run on no-op workflow invocations (e.g. bot comments where pre_activation is skipped)
+// or after workflow cancellation.
+func TestPushRepoMemoryJobConditionGatesOnAgentNotSkipped(t *testing.T) {
+	data := &WorkflowData{
+		RepoMemoryConfig: &RepoMemoryConfig{
+			Memories: []RepoMemoryEntry{
+				{ID: "default", BranchName: "memory/my-workflow"},
+			},
+		},
+	}
+
+	compiler := NewCompiler()
+
+	t.Run("without threat detection", func(t *testing.T) {
+		pushJob, err := compiler.buildPushRepoMemoryJob(data, false)
+		require.NoError(t, err, "Should build push job without error")
+		require.NotNil(t, pushJob, "Should produce a push job")
+
+		assert.Equal(t,
+			"always() && (!cancelled()) && needs.agent.result != 'skipped'",
+			pushJob.If,
+			"Condition should use always() && (!cancelled()) && agent != skipped",
+		)
+	})
+
+	t.Run("with threat detection", func(t *testing.T) {
+		pushJob, err := compiler.buildPushRepoMemoryJob(data, true)
+		require.NoError(t, err, "Should build push job without error")
+		require.NotNil(t, pushJob, "Should produce a push job")
+
+		assert.Contains(t, pushJob.If, "always()",
+			"Condition should contain always()")
+		assert.Contains(t, pushJob.If, "!cancelled()",
+			"Condition should contain !cancelled() to prevent running after cancellation")
+		assert.Contains(t, pushJob.If, "needs.agent.result != 'skipped'",
+			"Condition should check agent result != 'skipped'")
+		assert.Contains(t, pushJob.If, "needs.detection.result",
+			"Condition should still check detection result when threat detection is enabled")
+		assert.NotContains(t, pushJob.If, "needs.agent.result == 'success'",
+			"Condition should NOT use == 'success' for agent check")
+	})
+}