Add on.needs to support pre_activation/activation dependencies for credential-supply jobs

[Copilot]

This adds activation-side dependency control via on.needs, enabling pre_activation and activation to depend on custom upstream jobs (e.g., secret fetchers). It unblocks valid use of ${{ needs.<job>.outputs.* }} in on.github-app credentials.

• Schema + frontmatter model

  • Added on.needs to workflow schema.
  • Parsed/extracted on.needs into typed workflow data for compiler use.

• Compiler dependency wiring

  • pre_activation now includes on.needs in its needs.
  • activation now includes on.needs in its needs (merged with existing before-activation dependencies).
  • Jobs listed in on.needs are treated as pre-activation prerequisites and do not receive implicit needs: activation.

• Validation

  • Added on.needs validation:
    • must reference declared custom jobs,
    • rejects built-in/control job IDs,
    • rejects cycle-prone entries (jobs that already depend on activation/pre_activation).
  • Added on.github-app expression validation for app-id/private-key:
    • needs.<job>.outputs.* references must resolve to jobs available before activation (including on.needs).

• Docs

  • Updated trigger/frontmatter reference docs to document on.needs semantics and usage for credential-supply patterns.

Example:

on:
  workflow_dispatch:
  needs: [secrets_fetcher]
  github-app:
    client-id: ${{ needs.secrets_fetcher.outputs.app_id }}
    private-key: ${{ needs.secrets_fetcher.outputs.private_key }}

jobs:
  secrets_fetcher:
    runs-on: ubuntu-latest
    outputs:
      app_id: ${{ steps.fetch.outputs.app_id }}
      private_key: ${{ steps.fetch.outputs.private_key }}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE x_amd64/vet env -json .go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE er GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv h ../../../.pret.prettierignore GO111MODULE $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv h ../../../.pret.prettierignore GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

🤖 Smoke CI passed — https://github.com/github/gh-aw/actions/runs/24807361070

Generated by Smoke CI for issue #27895 · ● 491.4K · ◷

[github-actions]

Commit pushed: 15dec6b

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (545 new lines in pkg/) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/27895-on-needs-explicit-pre-activation-job-dependencies.md

What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff
2. Complete the missing sections — add context the AI couldn't infer, refine the decision rationale, and list real alternatives you considered
3. Commit the finalized ADR to docs/adr/ on your branch
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-27895: Introduce on.needs for Explicit Pre-Activation Job Dependencies

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

📋 Draft ADR Summary

Decision captured: Introduce on.needs as an explicit array in the on: frontmatter section, wiring those jobs as dependencies of both pre_activation and activation. This unblocks $\{\{ needs.<job>.outputs.* }} expressions in on.github-app credential fields.

Alternatives documented:

• Auto-detect credential-supply jobs from expression analysis (rejected: implicit, fragile)
• Inline credential logic via on.steps (rejected: conflates concerns, blocks parallelism, prevents reuse)

Key normative requirements:

• Jobs in on.needs MUST be added to pre_activation and activation dependencies
• Jobs in on.needs MUST NOT receive an implicit needs: activation guard
• Validation MUST reject built-in job IDs, cycle-prone references, and undeclared jobs

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 0042-use-postgresql.md for PR #42).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §24806829131

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 120.8K · ◷

[Copilot]

Pull request overview

Adds on.needs to let pre_activation and activation depend on custom upstream jobs (e.g., secret fetchers), enabling safe use of ${{ needs.<job>.outputs.* }} in on.github-app credential fields.

Changes:

• Extend workflow schema + frontmatter/workflow data model to include typed on.needs.
• Wire on.needs into compiler dependency generation for pre_activation, activation, and custom job auto-dependency behavior.
• Add validation + tests for on.needs targets and on.github-app needs-expression usage; update reference docs.

Show a summary per file

File	Description
pkg/workflow/on_steps_test.go	Adds unit test coverage for extractOnNeeds.
pkg/workflow/on_needs_validation_test.go	Adds tests for on.needs target validation and on.github-app needs-expression validation.
pkg/workflow/on_needs_validation.go	Implements validation for on.needs targets + on.github-app needs-expression constraints.
pkg/workflow/on_needs_integration_test.go	Integration test ensuring compiled jobs wire on.needs into pre_activation/activation needs.
pkg/workflow/frontmatter_types_test.go	Verifies ParseFrontmatterConfig extracts typed on.needs.
pkg/workflow/frontmatter_types.go	Adds OnNeeds typed field to frontmatter config model.
pkg/workflow/frontmatter_parsing.go	Extracts typed on.needs during frontmatter parsing.
pkg/workflow/compiler_types.go	Adds OnNeeds to WorkflowData for compiler consumption.
pkg/workflow/compiler_safe_outputs.go	Ensures on.needs isn’t treated as an event trigger key during on-section parsing.
pkg/workflow/compiler_pre_activation_job.go	Extracts on.needs, wires it into pre_activation.needs, and adds parsing helpers.
pkg/workflow/compiler_orchestrator_workflow.go	Populates WorkflowData.OnNeeds from frontmatter during orchestration.
pkg/workflow/compiler_jobs_test.go	Tests that jobs in on.needs do not receive implicit needs: activation.
pkg/workflow/compiler_jobs.go	Updates pre-activation creation conditions and custom job auto-dependency logic to respect on.needs.
pkg/workflow/compiler_activation_job_builder.go	Adds on.needs jobs to the activation job dependency set.
pkg/workflow/compiler.go	Adds validation call for on.needs + related on.github-app expression checks.
pkg/parser/schemas/main_workflow_schema.json	Adds on.needs to schema (array of job IDs).
docs/src/content/docs/reference/triggers.md	Documents on.needs semantics and credential-supply example.
docs/src/content/docs/reference/frontmatter.md	Adds on.needs to the frontmatter on: field listing.
docs/src/content/docs/reference/frontmatter-full.md	Adds on.needs to the full frontmatter reference example.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 20/20 changed files
• Comments generated: 2

[Copilot]

Error messages and field labels refer to on.github-app.app-id, but the YAML key for this field is client-id (see GitHubAppConfig yaml tag). This will surface confusing diagnostics to users. Use client-id in the field map / error messages so they match the documented/frontmatter key names.

Suggested change

	"app-id": data.ActivationGitHubApp.AppID,
	"client-id": data.ActivationGitHubApp.AppID,

[Copilot]

validateOnNeedsTargets only rejects on.needs jobs that directly depend on activation/pre_activation. A common configuration can still create a cycle via implicit activation dependencies: if an on.needs job has explicit needs: [B] and job B has no explicit needs and is not in on.needs/prompt-referenced, the compiler will auto-add needs: activation to B, producing activation → A → B → activation. Consider validating the entire dependency chain for each on.needs target (or, minimally, require that any explicit needs of an on.needs job are also listed in on.needs / otherwise guaranteed to run before activation) to prevent these cycle-prone setups with a clearer error.

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 80/100

✅ Excellent

Metric	Value
New/modified tests analyzed	6
✅ Design tests (behavioral contracts)	6 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	4 (67%)
Duplicate test clusters	0
Test inflation detected	Yes — compiler_jobs_test.go (+33 test / +11 prod = 3:1)
🚨 Coding-guideline violations	0

---

Test Classification Details

View all 6 tests

Test	File	Classification	Issues Detected
TestBuildCustomJobsDoesNotAutoAddActivationWhenListedInOnNeeds	compiler_jobs_test.go	✅ Design	Negative assertion (NotContains) verifies on.needs jobs don't accidentally inherit activation dependency. No explicit error path, but the invariant is a boundary condition.
"parses on.needs config" (subtest of TestParseFrontmatterConfig)	frontmatter_types_test.go	✅ Design	Verifies correct deserialization of on.needs array. Happy-path only — no malformed input case.
TestOnNeedsCompilesAndWiresActivationDependencies	on_needs_integration_test.go	✅ Design	End-to-end integration test: compiles a full workflow and inspects the compiled YAML. Verifies both pre_activation and activation gain the correct needs entries. Happy-path only, but strong behavioral signal.
TestValidateOnNeedsTargets	on_needs_validation_test.go	✅ Design	3 subtests: valid target (happy path), built-in job rejected (error), target depending on activation rejected (error). Covers two important error invariants.
TestValidateOnGitHubAppNeedsExpressions	on_needs_validation_test.go	✅ Design	2 subtests: valid expression passes, unknown job in expression rejected. Error path verifies exact error message content.
TestExtractOnNeeds	on_steps_test.go	✅ Design	Table-driven with 5 rows: empty frontmatter (nil), string trigger (nil), no needs key (nil), valid array (extracted), wrong type (error). Covers edge cases and type error.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 6 tests — unit (//go:build !integration) and integration (//go:build integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Observations

Build tags: All new and modified test files have the required build tag on line 1. ✅

Assertion messages: All testify calls include descriptive message arguments. ✅

No mock libraries: No gomock, testify/mock, .EXPECT(), or .On() usage detected. ✅

Test inflation (informational): Two test files exceed the 2:1 test-to-production line ratio, which triggers the scoring penalty:

• compiler_jobs_test.go: +33 test lines / +11 production lines ≈ 3:1
• frontmatter_types_test.go: +21 test lines / +1 production lines (frontmatter_types.go only added a field; the parsing logic lives in frontmatter_parsing.go +13 lines, giving a combined 21/14 ≈ 1.5:1 — much more reasonable in context)

Both cases represent tests that need more setup boilerplate to construct the right WorkflowData or frontmatter inputs than the production code change itself. This is acceptable; the 2:1 ratio is a heuristic signal, not a hard quality gate.

Minor gap: Neither "parses on.needs config" nor TestOnNeedsCompilesAndWiresActivationDependencies test an error scenario. Adding a subtest for malformed on.needs input (e.g., a string instead of an array) to the integration test or the TestParseFrontmatterConfig group would round out coverage — though TestExtractOnNeeds already covers the on.needs must be an array error path at the extraction layer.

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All 6 new/modified tests verify observable behavioral contracts, build tags are correct, and no mock libraries are used.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References:

• §24806829112

🧪 Test quality analysis by Test Quality Sentinel · ● 603.6K · ◷

[github-actions]

✅ Test Quality Sentinel: 80/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 6 new/modified tests verify behavioral contracts, build tags are correct, and no mock libraries are used.

[pelikhan]

@copilot review all comments

[github-actions]

✅ Smoke CI completed successfully!

[github-actions]

🤖 Smoke CI — workflow completed successfully. Run: https://github.com/github/gh-aw/actions/runs/24807361070

Generated by Smoke CI for issue #27895 · ● 491.4K · ◷

[Copilot]

@copilot review all comments

Reviewed and addressed all actionable review comments in commit ab3ea84: updated diagnostics to use on.github-app.client-id, and added transitive on.needs dependency-chain validation to prevent cycle-prone configurations. Added focused tests covering both fixes.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name 64/pkg/tool/linux_amd64/compile GOINSECURE nal/poly1305 GOMODCACHE 64/pkg/tool/linu/tmp/go-build59802336/b115/vet.cfg env .a RR0X2oXnN ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu--auto (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env 18752912 64jHUho52 ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile env ortcfg Ak5qHtlUh ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE /strconv GOMODCACHE ache/go/1.25.8/x^remote\..*\.gh-resolved$ (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env 18752912 ortcfg ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-tests ortc�� /atomic PSlwfWm62 ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE 4929151/b021/ GOMODCACHE ache/go/1.25.8/x12345 (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json go 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git g_.a sYYP-7R33 64/pkg/tool/linu--show-toplevel git merg�� -L current (local changes) /usr/bin/git base (original) -L new (upstream) git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv waysRecompiles1585049353/001 go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/asm node /tmp�� /tmp/TestHashConsistency_GoAndJavaScript1892580054/001/test-frontmatter-with-arr-s l ache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/compile ache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 4929151/b088/_pkg_.a rg/x/text@v0.36.0/internal/strin-test.run=^Test ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE GOMOD 4929151/b007/sym/tmp/TestPushWorkflowFiles_WithStagedFiles1355843719/001/workflow.md ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile ache�� /ref/tags/v9 r73k/ZR15bOYtzO_sNGC5r73k sv GOINSECURE b/gh-aw/pkg/giturev-parse GOMODCACHE /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuconfig /usr/bin/git DefaultBranchFrotr DefaultBranchFro\n x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git 1955-36701/test-git GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel l ache/node/24.14.--show-toplevel git 1/x6�� --show-toplevel git /usr/bin/git bility_SameInputgit config /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260422-231955-36701/test-4108531536/.github/workflows rev-parse /usr/bin/git ntent.md GO111MODULE 64/bin/go git conf�� --get remote.origin.url /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuremote1 /usr/bin/git RequiresMinInteggit main.go 64/pkg/tool/linu-m git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 02336/b417/envutgit SgUm/-evxfJf9jMJrev-parse e/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build2494929151/b248/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.36.0/internal/format/format.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json go 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/link /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� secrets.TOKEN x_amd64/vet /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --git-dir go /usr/bin/git plate-expressiongit hyphen4156068957rev-parse 64/bin/go git -C /tmp/gh-aw-test-runs/20260422-231955-36701/test-640136944/custom/workflows l /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --git-dir x_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node a.out GO111MODULE 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� inputs.version 64/pkg/tool/linu--auto /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv t0 /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.36.0/internal/langu-nolocalimports (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv --count 75526f18..HEAD $name) { hasDiscussionsEnabled } } ion-test main bin/git git rev-�� HEAD 75526f18 tnet/tools/git -b (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv 75526f18..HEAD --stdout modules/@npmcli/run-script/lib/node-gyp-bin/go ion-test main /git git rev-�� HEAD 75526f18..HEAD 64/bin/node -b (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/pkg/tool/linu--show-toplevel node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/archie.md 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260422-231955-36701/test-3360320453/.github/workflows config /usr/bin/git remote.origin.urgit -nolocalimports -importcfg git conf�� --get remote.origin.url low.test -json GO111MODULE 64/bin/go low.test (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv 02336/b456/_pkg_.a remote 02336/b456=> -json GO111MODULE 64/bin/go git rev-�� -fhz/sg3YSHTzqdvJXL5t-fhz l 64/pkg/tool/linux_amd64/link 01 GO111MODULE 64/bin/go 64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/vet env -json fg ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE th_wasm.o 64/src/math/big/--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name 0/internal/format/format.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE yLNKNaz/ITCHFh6R_3VA1bELNvSY env g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE util 64/src/reflect/a--show-toplevel 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linu/var/log/sysstat GOINSECURE mic_wasm.o 64/src/internal/--git-dir 64/pkg/tool/linux_amd64/compile env g_.a Bzwz7Kv-X ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name 0/message/catalog/catalog.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linu-trimpath env g_.a fG0BeREzZ ache/go/1.25.8/x-lang=go1.25 GOINSECURE t GOMODCACHE ache/go/1.25.8/x-goversion (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE tants abis 64/pkg/tool/linutest@example.com env 18752912 ortcfg ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-tests (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE .o 64/src/sync/atomic/asm.s pBvTgXO/G1KutSxXHjoE8hqd2SJr env 106723602 9xL6IaqNl ck GOINSECURE 2L88y7LOzA8rb4aerev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 tOLMlgimq 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env RNn7znL6m GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linushow (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name n.go 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link env 106723602/.github/workflows Kt0zQSK0W ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuconfig (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/vet env -json Ffi6x77fi ache/go/1.25.8/x64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name X4Ap2OrxA ache/go/1.25.8/x64/bin/go GOINSECURE util GOMODCACHE go env l 2>&1; then \ echo "Running wasm-opt -Oz (size optimization)..."; \ BEFORE=$(wc -c < gh-aw.wa/usr/bin/git GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linushow (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE cii GOMODCACHE 64/pkg/tool/linux_amd64/vet ortc�� 640136944/custom/workflows g/tty/tty_wasm.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD abis 64/src/math/flootest@example.com env -h gh-aw.wasm | cut -f1))" 1Yg0zHCmd ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu--jq (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 eF_9lmWUN 64/pkg/tool/linux_amd64/vet GOINSECURE on GOMODCACHE 64/pkg/tool/linux_amd64/vet env 640136944/custom/workflows GO111MODULE til.test GOINSECURE GOMOD GOMODCACHE til.test (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a kLZAPaMu6 il.test GOINSECURE GOMOD GOMODCACHE il.test (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build59802336/b404/cli.test /tmp/go-build59802336/b404/cli.test -test.testlogfile=/tmp/go-build59802336/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build2494929151/b223/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu-tests /usr/bin/git ility-kit.md rg/x/text@v0.36.rev-parse x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git st-373900466/.gils GO111MODULE 1/x64/bin/node git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv ortcfg qbNVEaFt_ x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile ranc�� ortcfg GO111MODULE fg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote1 (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv sm-opt -Oz (size optimization)..."; \ BEFORE=$(wc -c < gh-aw.wasm); \ wasm-opt -Oz --enable-bugit GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv .a FSSLThW2J x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env .a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE util GOMODCACHE ache/go/1.25.8/x12345 (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD abis 64/pkg/tool/linu/tmp/go-build59802336/b112/vet.cfg env til.go til_test.go tcfg.link GOINSECURE GOMOD GOMODCACHE L4Oo3EWq5--2qSZIa7/AGm_YNCiJj6xQxy0gHvt/cpe0FUpiconfig (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state 64/pkg/tool/linux_amd64/compile GOINSECURE util 64/src/reflect/a--show-toplevel 64/pkg/tool/linux_amd64/compile env .a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE er GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build59802336/b410/importcfg -pack /tmp/go-build59802336/b410/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 640136944/custom/workflows g/tty/tty_wasm.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile ortc�� 4929151/b106/_pkg_.a om/segmentio/encoding@v0.5.4/ascii/equal_fold.go fg GOINSECURE l GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuorigin (http block)
• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git form�� origin/auth-cleanup-success..auth-cleanup-success --stdout 64/bin/git -1 --format=%s nfig/composer/vefor-each-ref git conf�� user.email lure test commit k/node_modules/.bin/git -m Initial commit de_modules/.bin/agent-change.txt git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

Great work on this feature addition! 🎉

The on.needs support for pre_activation/activation credential-supply job dependencies is a meaningful and well-scoped addition to gh-aw's workflow compilation capabilities. What stands out here is the thoroughness of the implementation — schema changes, compiler dependency wiring, validation, and docs are all covered in a single coherent PR, along with 5 test files ensuring the new behaviour is well-exercised.

It's also great to see Smoke CI passing, which gives confidence that the end-to-end compilation pipeline is healthy.

This PR looks ready for maintainer review. 🚀

Generated by Contribution Check · ● 2M · ◷