fix: move base-folder restore before pre-agent-steps so APM-restored skills survive PR context

[Copilot]

APM-restored skills (e.g. .github/skills/) installed by pre-agent-steps were silently clobbered in pull_request runs because the "Restore agent config folders from base branch" step executed after pre-agent-steps in the generated workflow. In workflow_dispatch there is no PR checkout so the restore step is never emitted — which is exactly why skills worked in dispatch but failed in PR context.

Changes

• compiler_yaml_main_job.go — reorder steps in generateMainJobSteps:

  • Move "Download activation artifact", "Prepare comment memory files", and "Restore agent config folders from base branch" to before generatePreAgentSteps
  • Pre-agent-steps still run before MCP setup (gateway dependency unchanged)
  • New order: download artifact → base restore → pre-agent-steps → MCP setup

  Before (broken):
    pre-agent-steps (APM restore → writes .github/skills/)
    MCP setup
    Download activation artifact
    Restore agent config folders   ← overwrites .github/skills/
  
  After (fixed):
    Download activation artifact
    Restore agent config folders   ← base snapshot applied first
    pre-agent-steps (APM restore → writes .github/skills/)
    MCP setup
  

• compiler_pre_agent_steps_test.go — add the missing ordering invariant to TestImportedPreAgentStepsRunAfterPRBaseRestore (base restore must precede APM restore); add TestImportedPreAgentStepsRunAfterPRBaseRestoreCopilot covering engine: copilot + pull_request, the exact combination from the public repro

• Golden files updated to reflect the new step ordering

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile estl�� g_.a S-MkVro-o ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE ole GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuTest User (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env 3383808052 NG8R67gve 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link env ger.test GO111MODULE ortcfg.link GOINSECURE GOMOD GOMODCACHE 9Ym34G_sfJyM6o-I^remote\..*\.gh-resolved$ (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env 3383808052 Kt0zQSK0W ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE chema/v6 GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg env QR-HUaE0f GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE 6003580/b007/ GOMODCACHE ache/go/1.25.8/x12345 (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json .go 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore rev-parse repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } st-vIoYAV/test-cgit Test validator.lock.y/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git -C ithub/workflows show k/node_modules/.bin/node test-Mh0zaK/slow/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -m ache/node/24.14.-bool git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git g_.a eUCGDzm1t 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git ortcfg mMLh2czeP ache/go/1.25.8/xinstall git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel /bin/sh /usr/bin/git ithub/workflows git er: String!, $na--show-toplevel git rev-�� --show-toplevel git /usr/bin/git 88265015/001 rev-parse 64/pkg/tool/linuinstall /usr/bin/git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md -test.v=true /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool l /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/compile-all-instructions-test-98653609 show /opt/hostedtoolcache/node/24.14.1/x64/bin/node rite '**/*.cjs' git config l node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/.artifacts[].name (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ortcfg GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE light 6003580/b021/sym/tmp/TestPushWorkflowFiles_WithStagedFiles1945570346/001/workflow.md ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile env 4100429137 28ie/dWadUuI3oiBsYAOo28ie 64/pkg/tool/linux_amd64/vet GOINSECURE t/internal/tag GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel -extld=gcc /usr/bin/git ortcfg GO111MODULE .cfg git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linustatus /usr/bin/git 6003580/b171/_pkgit GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git-upload-pack /usr/bin/git ithub/workflows/git l /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --git-dir /tmp/go-build301rev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows/architecture-guardian.md config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git -C /tmp/gh-aw-test-runs/20260424-144654-34794/test--test.timeout=10m0s l /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv :latest --format=%(objectname) /usr/bin/git *.json' '!../../git tPath,Error,Dir,rev-parse tnet/tools/bash git rev-�� runs/20260424-145057-52731/test-1241705331 git /usr/bin/git s/test.md ssibility.go k/node_modules/.--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 4100429137 jfLv/0caWgwAWMGdcommit 1/x64/bin/node git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuremote.origin.url /usr/bin/git vaScript30083373git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git 5057-52731/test-git rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git 5057-52731/test-git config e/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build3896003580/b246/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.36.0/message/catalog/catalog.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -c=4 -nolocalimports -importcfg /tmp/go-build3018861950/b437/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil_test.go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --git-dir x_amd64/link /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/gh g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel sh (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_explicit_repo2382772332/001 rev-parse /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/infocmp tmatter-with-envgit GO111MODULE 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linux_amd64/compile /usr/bin/gh g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJavaScript3088507683/001/test-frontmatter-with-arrays.md -tests /usr/bin/git *.json' '!../../git show /usr/bin/git git -C s/test.md remote /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/worgit config repository(owne--show-toplevel node (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 8861950/b462/_pkg_.a -tests 8861950/b462=> -json GO111MODULE 64/bin/go git rev-�� byx2/jNQYSQDdMsvnnTZDbyx2 go /tmp/go-build3018861950/b444/stats.test -json GO111MODULE 64/bin/go /tmp/go-build3018861950/b444/stats.test (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ck.yml l /usr/bin/git 3850806/b090/_pkgit rev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git b2NM/ftHPOpQGk1cgit 1bd2a33bb5f33cd1rev-parse in/node git (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv user.email ings.cjs odules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/git cjs st/suppress-warn-o 64/bin/node forks.js rev-�� HEAD st/suppress-warnmain _modules/.bin/gi-lang=go1.25 HEAD -aw/aw-test-owne--experimental-import-meta-resolve k/gh-aw/gh-aw/ac--require st/dist/workers//home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv . tions/setup/js/node_modules/vite--stdout $name) { hasDiscussionsEnabled } } d git tions/node_modul-m git init�� -q (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv . tions/setup/js/node_modules/vite--stdout bin/git HEAD l ode-gyp-bin/git UOnnzN-/JN-ltRy2/home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs init�� -q st/suppress-warn--conditions k/node_modules/.development est-change ode_modules/viteapi 86_64/git st/dist/workers/-f (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linuTest User /opt/hostedtoolcache/node/24.14.1/x64/bin/node lex-frontmatter-git GO111MODULE 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� GOMODCACHE 64/pkg/tool/linu/tmp/go-build3018861950/b112/vet.cfg /usr/bin/git g_.a emplate/v3@v3.0.rev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git ithub/workflows --write er: String!, $na--show-toplevel git rev-�� --show-toplevel sh (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel -pack 64/pkg/tool/linux_amd64/vet -json GO111MODULE 64/bin/go 64/pkg/tool/linux_amd64/vet -C /tmp/gh-aw-test-runs/20260424-144654-34794/test-3383808052 config /opt/hostedtoolcache/node/24.14.1/x64/bin/node remote.origin.urgit GO111MODULE 64/bin/go node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch782486043/001' l /usr/bin/git */*.json' '!../.git }} {{context.Comrev-parse r: $owner, name:--show-toplevel git -C /tmp/gh-aw-test-runs/20260424-145057-52731/test-1110637414/.github/workflows remote /usr/bin/gh .version=747a231git show ache/node/24.14.--show-toplevel gh (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv r-test2137057489/test1.md r-test2137057489/test2.lock.yml /usr/bin/git -json GO111MODULE 64/bin/go git -C /tmp/gh-aw-test-runs/20260424-144654-34794/test-3383808052 remote om/owner/repo.git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv run (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/auth/auth.-nolocalimports 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE go-sdk/mcp abis 64/src/math/big/arith_wasm.s (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE .o 64/src/runtime/auser.name 64/pkg/tool/linuTest User env 1772363628/custom/workflows 3Js0Ri3Dw ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name git /usr/bin/git re --log-level=egit rev-parse (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name 0/internal/catmsg/catmsg.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 459987655 Bzwz7Kv-X ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE r GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE _test.o 64/src/internal/abi/abi_test.s 64/pkg/tool/linux_amd64/compile env 3383808052 9xL6IaqNl ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name rev-parse /usr/bin/git ithub/workflows show kflows/smoke-cod--show-toplevel git -C k/gh-aw/gh-aw rev-parse .cfg js/**/*.json' --git st/dist/workers/rev-parse /usr/bin/gh docker (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name 0/internal/number/common.go 64/pkg/tool/linux_amd64/compile GOINSECURE tants GOMODCACHE 64/pkg/tool/linutest@example.com env 459987655 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 ri/jsonschema/v6@v6.0.2/kind/kind.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 3383808052 Kt0zQSK0W ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE chema/v6 GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name config /usr/bin/git remote.origin.urgit erena-mcp-serverrev-parse ti-device-docs-t--show-toplevel git -C k/gh-aw/gh-aw/.github/workflows config .cfg remote.origin.urgit rev-parse /usr/bin/infocmp--show-toplevel /usr/bin/gh (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/mcp/client.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE er abis ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD abis ylQP4Z8/vCNYLdc7D8RXanEmFBss 64/s�� 64/src/runtime/ints.s BytXhgNOP ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name show er: String!, $name: String!) { repository(owne-q re --log-level=egit rev-parse /usr/bin/git /usr/bin/gh api graphql -f er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl--paginate -f owner=github -f git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name 7JGiP3oGe 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 2257742728/.github/workflows uKJh7UXOD eutil.test GOINSECURE GOMOD GOMODCACHE eutil.test (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env g_.a diXaaNED5 k GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name config kflows/python-data-charts.lock.yml remote.origin.urgit show x_amd64/link git -C /home/REDACTED/work/gh-aw/gh-aw erena-mcp-server:latest /usr/bin/git k/gh-aw/gh-aw/.ggit rev-parse ode_modules/.bin--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name n.go 64/pkg/tool/linu-nilfunc GOINSECURE (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 LvhFNvMoO 64/pkg/tool/linux_amd64/vet GOINSECURE on GOMODCACHE 64/pkg/tool/linux_amd64/vet env -obugO3Wj GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name rev-parse (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name S1XHWmzm6 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 2257742728/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE flow GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 lNGu_38wk 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env jYhsBWmby GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name config /usr/bin/git remote.origin.urgit show modules/@npmcli/--show-toplevel git -C 5057-52731/test-2063270434/.github/workflows rev-parse er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl--show-toplevel k/gh-aw/gh-aw/.ggit oFiles,IgnoredOtrev-parse sh docker (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build3018861950/b419/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/asm env -json ase64.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a bbyq8rTOi ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE v3 GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuTest User (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build3018861950/b404/cli.test /tmp/go-build3018861950/b404/cli.test -test.testlogfile=/tmp/go-build3018861950/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build3896003580/b223/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /tmp/go-build2335982304/b404/cli.test /tmp/go-build2335982304/b404/cli.test -test.testlogfile=/tmp/go-build2335982304/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -q tions/setup/js/n-C ester.lock.yml git port�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore show tnet/tools/bash st-vIoYAV/test-cgit Test k.yml git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 9Ym34G_sfJyM6o-I^remote\..*\.gh-resolved$ /usr/bin/git 4654-34794/test-git rg/x/text@v0.36.rev-parse g_.a git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu/tmp/go-build3018861950/b452/_testmain.go /usr/bin/git 4654-34794/test-ls 6003580/b036/imp-lh 6003580/b236=> git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git k/gh-aw/gh-aw rev-parse kflows/schema-fe--show-toplevel git rev-�� --show-toplevel git /usr/bin/git k/gh-aw/gh-aw rev-parse 1/x64/bin/node git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv g_.a Tbt35DxwQ Name,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle GOINSECURE tdrain GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile env DefaultBranchFromLsRemoteWithRealGitcustom_branch385500003/001' DefaultBranchFromLsRemoteWithRealGitcustom_branch385500003/001' ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ortcfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv rdian.md infocmp me: String!) { repository(owne-q rror git /usr/bin/git git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } remote.origin.urgit config DiscussionsEnabl--show-toplevel docker (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ithub/workflows e_delta_integrat-ifaceassert e_delta_test.go l_description_engit ls.go ls_parser.go ls_timeout_integ-tests ls_t�� ithub/workflows ls_types.go /bin/sh --require /home/REDACTED/worinit yml /bin/sh (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json /color.go x_amd64/compile �� Action pins sgit GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json ii/equal_fold.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json color.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows --package-lock-o-ifaceassert k/node_modules/.-nilfunc commit.gpgsign false ed } } /opt/hostedtoolc-tests k/gh�� /tmp/go-build207988227/b366/_pkg_.a on repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } /../../.prettiergit erignore -lang=go1.25 node (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv ionpins.test BBDxPPYcw ortcfg.link GOINSECURE GOMOD GOMODCACHE WWO0B1W7QszrdJFJlk/xQe5f0wJO56wlipN0mlS/v5NB_zuqconfig env ortcfg GO111MODULE g_.a GOINSECURE 6003580/b078/ GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv mLsRemoteWithRealGitmain_branch2115758697/001' mLsRemoteWithRealGitmain_branch2115758697/001' me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } k/gh-aw/gh-aw/.ggit git me: String!) { repository(owne/tmp/compile-instructions-test-3378410049/.github/workflows /usr/bin/gh api k/gh-aw/gh-aw -f me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github ed } } git (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ortcfg qbNVEaFt_ 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion ithub/workflows config er: String!, $na--show-toplevel git -C k/gh-aw/gh-aw/.github/workflows rev-parse e/git-upload-pack json' --ignore-p/usr/bin/git -f odules/npm/node_-v /usr/bin/gh (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE r GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile env 37/001/test-frontmatter-with-arrays.md GO111MODULE x_amd64/compile GOINSECURE lite GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo l remote.origin.urgit .go ache/go/1.25.8/x/home/REDACTED/work/gh-aw/gh-aw git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows outil.go me: String!) { repository(owner: $owner, name:-f -M main ache/node/24.14.-bool git (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name *.json' '!../../remote.origin.url show r: $owner, name: $name) { hasDiscussionsEnabled } } user.name k/gh-aw/gh-aw/ac-C me: String!) { /home/REDACTED/work/gh-aw/gh-aw/.github/workflows git -C ithub/workflows config k/gh-aw/gh-aw/actions/setup/node_modules/.bin/node remote.origin.ur/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -m /home/REDACTED/go/-bool git (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch -obugO3Wj GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile ortc�� g_.a om/segmentio/encoding@v0.5.4/json/codec.go x_amd64/link GOINSECURE er GOMODCACHE x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch --show-toplevel git /usr/bin/git .js' --ignore-pagit nly $name) { has--show-toplevel git rev-�� ons-test2917712771 ache/go/1.25.8/xrev-parse /usr/bin/git /home/REDACTED/worgit show son git (http block)
• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git e/git init�� ndor/bin/git git ode_modules/.bin/git =receive test@example.com--git-dir=/tmp/bare-incremental-msbs1T /git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Reorders generated main-job steps so PR base-branch restoration happens before imported pre-agent-steps, preventing APM-restored skills (e.g. .github/skills/) from being overwritten in pull_request runs.

Changes:

• Reordered generateMainJobSteps to download the activation artifact and restore base-branch agent config folders before running pre-agent-steps.
• Added/extended tests to enforce the ordering invariant for both engine: claude and engine: copilot in PR context.
• Updated workflow lockfiles and golden fixtures to reflect the new step ordering.

Show a summary per file

File	Description
pkg/workflow/compiler_yaml_main_job.go	Moves activation artifact download + PR base restore ahead of pre-agent-steps to avoid clobbering restored skills.
pkg/workflow/compiler_pre_agent_steps_test.go	Adds ordering assertions ensuring base restore precedes imported pre-agent-steps (including Copilot repro case).
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden	Updates golden output for new step order (activation download/restore moved earlier).
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates golden output for new step order in Copilot fixture.
.github/workflows/workflow-normalizer.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/workflow-health-manager.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/weekly-issue-summary.lock.yml	Lockfile updated to reflect activation download earlier in the job.
.github/workflows/video-analyzer.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/update-astro.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/ubuntu-image-analyzer.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/tidy.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/test-workflow.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/test-quality-sentinel.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/test-project-url-default.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/test-dispatcher.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/technical-doc-writer.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/super-linter.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/sub-issue-closer.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/step-name-alignment.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/static-analysis-report.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/stale-repo-identifier.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/spec-enforcer.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/smoke-update-cross-repo-pr.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/smoke-test-tools.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/smoke-service-ports.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/smoke-project.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/smoke-opencode.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/smoke-gemini.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/smoke-crush.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/smoke-create-cross-repo-pr.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/smoke-claude.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/security-review.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/security-compliance.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/schema-consistency-checker.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/safe-output-health.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/research.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/repo-tree-map.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/release.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/refiner.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/refactoring-cadence.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/python-data-charts.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/prompt-clustering-analysis.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/metrics-collector.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/mergefest.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/lockfile-stats.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/layout-spec-maintainer.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/issue-triage-agent.lock.yml	Lockfile updated to reflect activation download earlier in the job.
.github/workflows/instructions-janitor.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/hourly-ci-cleaner.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/hippo-embed.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/gpclean.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/go-logger.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/github-mcp-tools-report.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/firewall.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/firewall-escape.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/example-workflow-analyzer.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/example-permissions-warning.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/draft-pr-cleanup.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/dictation-prompt.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/dev.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/dev-hawk.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/design-decision-gate.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/delight.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/deep-report.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/dead-code-remover.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-team-status.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-security-red-team.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-secrets-analysis.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-news.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-issues-report.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-integrity-analysis.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-firewall-report.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-doc-healer.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-community-attribution.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-code-metrics.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-cli-performance.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/daily-choice-test.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/craft.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/copilot-token-audit.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/copilot-pr-merged-report.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/copilot-opt.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/copilot-agent-analysis.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/contribution-check.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/constraint-solving-potd.lock.yml	Lockfile updated to reflect activation download earlier in the job.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/code-simplifier.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/ci-doctor.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/changeset.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/bot-detection.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/auto-triage-issues.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/audit-workflows.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/artifacts-summary.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/architecture-guardian.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/approach-validator.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/api-consumption-report.lock.yml	Lockfile updated to reflect activation download + base restore earlier in the job.
.github/workflows/ace-editor.lock.yml	Lockfile updated to reflect activation download earlier in the job.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 205/205 changed files
• Comments generated: 0

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 80/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	2
✅ Design tests (behavioral contracts)	2 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	2 (100%)
Duplicate test clusters	0
Test inflation detected	Yes (81 test lines / 20 production lines ≈ 4:1)
🚨 Coding-guideline violations	0

---

Test Classification Details

Test	File	Classification	Issues Detected
TestImportedPreAgentStepsRunAfterPRBaseRestore (modified)	pkg/workflow/compiler_pre_agent_steps_test.go:183	✅ Design	None — adds ordering assertion with descriptive message
TestImportedPreAgentStepsRunAfterPRBaseRestoreCopilot (new)	pkg/workflow/compiler_pre_agent_steps_test.go:207	✅ Design	Test inflation (see below)

---

Test Inflation Note

The test file gains 81 lines against 20 production lines in compiler_yaml_main_job.go (≈ 4:1 ratio, threshold 2:1). This triggers the inflation penalty, but the overage is clearly justified: the production change is a step-order resequencing (few lines moved), while the tests must set up full compilation fixtures, compile real workflows, and assert on step indices in generated YAML. The test complexity is inherent to the feature under test, not padding.

---

Flagged Tests — Requires Review

No tests are flagged for quality issues. The inflation is noted for transparency only.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 2 tests — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). Both tests verify a concrete behavioral ordering contract — that the base-branch restore step is emitted before imported pre-agent steps in the compiled YAML, for both Claude and Copilot engines. Deleting either test would allow the ordering regression described in the PR to go undetected.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References:

• §24896846844

🧪 Test quality analysis by Test Quality Sentinel · ● 687.2K · ◷

[github-actions]

✅ Test Quality Sentinel: 80/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). Both new/modified tests verify the behavioral ordering contract that base-branch restore runs before APM pre-agent steps, covering both Claude and Copilot engines.

[github-actions]

Commit pushed: 2fcf70f

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (123 new lines in business logic directories) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/28290-base-restore-before-pre-agent-steps.md

The draft captures the following decision from the diff:

Enforce a strict ordering invariant in the workflow compiler: "Download activation artifact" and "Restore agent config folders from base branch" must be emitted before pre-agent-steps so that APM-restored skills written to .github/skills/ are not silently clobbered by the base-restore step in pull_request context.

What to do next

1. Review the draft ADR committed to your branch at docs/adr/28290-base-restore-before-pre-agent-steps.md
2. Complete the missing sections — verify the deciders field, confirm the alternatives listed match what was actually considered, and add any context the AI couldn't infer
3. Commit the finalized ADR to docs/adr/ on your branch
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-28290: Base Branch Restore Must Precede Pre-Agent Steps

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 28290-base-restore-before-pre-agent-steps.md for PR #28290).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §24896846777

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 169.7K · ◷

[pelikhan]

@copilot merge main and recompile

review all comments

[Copilot]

@copilot merge main and recompile

review all comments

Done — merged main (resolved a generated lock file conflict in daily-fact.lock.yml), rebuilt the binary, and recompiled all 201 workflows successfully. Commit: c3efb9f.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw IVa44XXM-CoV (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw HB/mORa0PoeeFZGV-C (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)