From 2d4658dd6957cef460f4dda0081090ef94882dc3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 14 Apr 2026 00:16:01 +0000
Subject: [PATCH 1/3] refactor: use ExpressionBuilder for all if expressions in
 maintenance_workflow.go

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/154f1ff2-da49-4ed7-95ab-ebf61d59523b

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/agentics-maintenance.yml | 14 ++++----
 pkg/workflow/maintenance_workflow.go       | 40 ++++++++++++++++++----
 2 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml
index 1553b40cedc..7e314bac9d8 100644
--- a/.github/workflows/agentics-maintenance.yml
+++ b/.github/workflows/agentics-maintenance.yml
@@ -62,7 +62,7 @@ permissions: {}
 
 jobs:
   close-expired-entities:
-    if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
+    if: ${{ (!(github.event.repository.fork)) && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
     runs-on: ubuntu-slim
     permissions:
       discussions: write
@@ -187,7 +187,7 @@ jobs:
             await main();
 
   apply_safe_outputs:
-    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'safe_outputs' && !github.event.repository.fork }}
+    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'safe_outputs' && (!(github.event.repository.fork)) }}
     runs-on: ubuntu-slim
     permissions:
       actions: read
@@ -232,7 +232,7 @@ jobs:
             await main();
 
   create_labels:
-    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'create_labels' && !github.event.repository.fork }}
+    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'create_labels' && (!(github.event.repository.fork)) }}
     runs-on: ubuntu-slim
     permissions:
       contents: read
@@ -280,7 +280,7 @@ jobs:
             await main();
 
   validate_workflows:
-    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'validate' && !github.event.repository.fork }}
+    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'validate' && (!(github.event.repository.fork)) }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -328,7 +328,7 @@ jobs:
             await main();
 
   compile-workflows:
-    if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
+    if: ${{ (!(github.event.repository.fork)) && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
     runs-on: ubuntu-slim
     permissions:
       contents: read
@@ -368,7 +368,7 @@ jobs:
             await main();
 
   zizmor-scan:
-    if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
+    if: ${{ (!(github.event.repository.fork)) && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
     runs-on: ubuntu-slim
     needs: compile-workflows
     permissions:
@@ -392,7 +392,7 @@ jobs:
           echo "✓ Zizmor security scan completed"
 
   secret-validation:
-    if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
+    if: ${{ (!(github.event.repository.fork)) && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
     runs-on: ubuntu-slim
     permissions:
       contents: read
diff --git a/pkg/workflow/maintenance_workflow.go b/pkg/workflow/maintenance_workflow.go
index 76f9238eab9..0db810759e5 100644
--- a/pkg/workflow/maintenance_workflow.go
+++ b/pkg/workflow/maintenance_workflow.go
@@ -274,7 +274,7 @@ permissions: {}
 
 jobs:
   close-expired-entities:
-    if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
+    if: ${{ ` + RenderCondition(buildNotForkAndScheduled()) + ` }}
     runs-on: ` + runsOnValue + `
     permissions:
       discussions: write
@@ -434,7 +434,7 @@ jobs:
 	// Add apply_safe_outputs job for workflow_dispatch with operation == 'safe_outputs'
 	yaml.WriteString(`
   apply_safe_outputs:
-    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'safe_outputs' && !github.event.repository.fork }}
+    if: ${{ ` + RenderCondition(buildDispatchOperationCondition("safe_outputs")) + ` }}
     runs-on: ` + runsOnValue + `
     permissions:
       actions: read
@@ -482,7 +482,7 @@ jobs:
 	// Add create_labels job for workflow_dispatch with operation == 'create_labels'
 	yaml.WriteString(`
   create_labels:
-    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'create_labels' && !github.event.repository.fork }}
+    if: ${{ ` + RenderCondition(buildDispatchOperationCondition("create_labels")) + ` }}
     runs-on: ` + runsOnValue + `
     permissions:
       contents: read
@@ -529,7 +529,7 @@ jobs:
 	validateRunsOnValue := FormatRunsOn(configuredRunsOn, "ubuntu-latest")
 	yaml.WriteString(`
   validate_workflows:
-    if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.operation == 'validate' && !github.event.repository.fork }}
+    if: ${{ ` + RenderCondition(buildDispatchOperationCondition("validate")) + ` }}
     runs-on: ` + validateRunsOnValue + `
     permissions:
       contents: read
@@ -579,7 +579,7 @@ jobs:
 		// Add compile-workflows job
 		yaml.WriteString(`
   compile-workflows:
-    if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
+    if: ${{ ` + RenderCondition(buildNotForkAndScheduled()) + ` }}
     runs-on: ` + runsOnValue + `
     permissions:
       contents: read
@@ -616,7 +616,7 @@ jobs:
             await main();
 
   zizmor-scan:
-    if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
+    if: ${{ ` + RenderCondition(buildNotForkAndScheduled()) + ` }}
     runs-on: ` + runsOnValue + `
     needs: compile-workflows
     permissions:
@@ -640,7 +640,7 @@ jobs:
           echo "✓ Zizmor security scan completed"
 
   secret-validation:
-    if: ${{ !github.event.repository.fork && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
+    if: ${{ ` + RenderCondition(buildNotForkAndScheduled()) + ` }}
     runs-on: ` + runsOnValue + `
     permissions:
       contents: read
@@ -753,6 +753,32 @@ func buildNotForkAndScheduledOrOperation(operation string) ConditionNode {
 	)
 }
 
+// buildNotForkAndScheduled creates a condition for jobs that should run on
+// schedule (or non-dispatch events) but not when an operation is specified.
+// Condition: !fork && (not_dispatch || operation == "")
+func buildNotForkAndScheduled() ConditionNode {
+	return BuildAnd(
+		buildNotForkCondition(),
+		buildNotDispatchOrEmptyOperation(),
+	)
+}
+
+// buildDispatchOperationCondition creates a condition for jobs that should run
+// only when a specific workflow_dispatch operation is selected and not a fork.
+// Condition: dispatch && operation == op && !fork
+func buildDispatchOperationCondition(operation string) ConditionNode {
+	return BuildAnd(
+		BuildAnd(
+			BuildEventTypeEquals("workflow_dispatch"),
+			BuildEquals(
+				BuildPropertyAccess("github.event.inputs.operation"),
+				BuildStringLiteral(operation),
+			),
+		),
+		buildNotForkCondition(),
+	)
+}
+
 // buildRunOperationCondition creates the condition for the unified run_operation
 // job that handles all dispatch operations except the ones with dedicated jobs.
 // Condition: dispatch && operation != ” && operation != each excluded && !fork.

From b640e59f466a3875d9de44d2c2f57499cc43732c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 14 Apr 2026 00:20:11 +0000
Subject: [PATCH 2/3] refactor: clarify buildNotForkAndScheduled comment per
 code review

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/154f1ff2-da49-4ed7-95ab-ebf61d59523b

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/workflow/maintenance_workflow.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkg/workflow/maintenance_workflow.go b/pkg/workflow/maintenance_workflow.go
index 0db810759e5..bad1b5670c1 100644
--- a/pkg/workflow/maintenance_workflow.go
+++ b/pkg/workflow/maintenance_workflow.go
@@ -753,9 +753,10 @@ func buildNotForkAndScheduledOrOperation(operation string) ConditionNode {
 	)
 }
 
-// buildNotForkAndScheduled creates a condition for jobs that should run on
-// schedule (or non-dispatch events) but not when an operation is specified.
-// Condition: !fork && (not_dispatch || operation == "")
+// buildNotForkAndScheduled creates a condition for jobs that should run on any
+// non-dispatch event (e.g. schedule, push) or on workflow_dispatch with an empty
+// operation, and never on forks.
+// Condition: !fork && (event_name != 'workflow_dispatch' || operation == "")
 func buildNotForkAndScheduled() ConditionNode {
 	return BuildAnd(
 		buildNotForkCondition(),

From 5929552006b3134597671037d38966bbfbf1ff8c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 14 Apr 2026 00:32:09 +0000
Subject: [PATCH 3/3] refactor: remove zizmor-scan job from maintenance
 workflow

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/7d97d658-6f38-417c-b319-e34395beead9

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/agentics-maintenance.yml | 24 ----------------------
 pkg/workflow/maintenance_workflow.go       | 24 ----------------------
 pkg/workflow/maintenance_workflow_test.go  |  2 +-
 3 files changed, 1 insertion(+), 49 deletions(-)

diff --git a/.github/workflows/agentics-maintenance.yml b/.github/workflows/agentics-maintenance.yml
index 7e314bac9d8..63508aea9fe 100644
--- a/.github/workflows/agentics-maintenance.yml
+++ b/.github/workflows/agentics-maintenance.yml
@@ -367,30 +367,6 @@ jobs:
             const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_recompile_needed.cjs');
             await main();
 
-  zizmor-scan:
-    if: ${{ (!(github.event.repository.fork)) && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
-    runs-on: ubuntu-slim
-    needs: compile-workflows
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Setup Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
-        with:
-          go-version-file: go.mod
-          cache: true
-
-      - name: Build gh-aw
-        run: make build
-
-      - name: Run zizmor security scanner
-        run: |
-          ./gh-aw compile --zizmor --verbose
-          echo "✓ Zizmor security scan completed"
-
   secret-validation:
     if: ${{ (!(github.event.repository.fork)) && (github.event_name != 'workflow_dispatch' || github.event.inputs.operation == '') }}
     runs-on: ubuntu-slim
diff --git a/pkg/workflow/maintenance_workflow.go b/pkg/workflow/maintenance_workflow.go
index bad1b5670c1..1739f568b47 100644
--- a/pkg/workflow/maintenance_workflow.go
+++ b/pkg/workflow/maintenance_workflow.go
@@ -615,30 +615,6 @@ jobs:
             const { main } = require('${{ runner.temp }}/gh-aw/actions/check_workflow_recompile_needed.cjs');
             await main();
 
-  zizmor-scan:
-    if: ${{ ` + RenderCondition(buildNotForkAndScheduled()) + ` }}
-    runs-on: ` + runsOnValue + `
-    needs: compile-workflows
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Setup Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
-        with:
-          go-version-file: go.mod
-          cache: true
-
-      - name: Build gh-aw
-        run: make build
-
-      - name: Run zizmor security scanner
-        run: |
-          ./gh-aw compile --zizmor --verbose
-          echo "✓ Zizmor security scan completed"
-
   secret-validation:
     if: ${{ ` + RenderCondition(buildNotForkAndScheduled()) + ` }}
     runs-on: ` + runsOnValue + `
diff --git a/pkg/workflow/maintenance_workflow_test.go b/pkg/workflow/maintenance_workflow_test.go
index 7348cb6bd38..128c41df0ad 100644
--- a/pkg/workflow/maintenance_workflow_test.go
+++ b/pkg/workflow/maintenance_workflow_test.go
@@ -290,7 +290,7 @@ func TestGenerateMaintenanceWorkflow_OperationJobConditions(t *testing.T) {
 	const runOpSectionSearchRange = 500
 
 	// Jobs that should be disabled when any non-dedicated operation is set (cleanup-cache-memory has its own dedicated operation)
-	disabledJobs := []string{"close-expired-entities:", "compile-workflows:", "secret-validation:", "zizmor-scan:"}
+	disabledJobs := []string{"close-expired-entities:", "compile-workflows:", "secret-validation:"}
 	for _, job := range disabledJobs {
 		// Find the if: condition for each job
 		jobIdx := strings.Index(yaml, "\n  "+job)