Skip to content

fix: use roles: all workaround for bot activation (gh-aw#21098)#76

Merged
microsasa merged 1 commit intomainfrom
fix/roles-all-workaround
Mar 15, 2026
Merged

fix: use roles: all workaround for bot activation (gh-aw#21098)#76
microsasa merged 1 commit intomainfrom
fix/roles-all-workaround

Conversation

@microsasa
Copy link
Owner

@microsasa microsasa commented Mar 15, 2026

Problem

Agent workflows (review-responder, quality-gate) never activate when triggered by Copilot review events. pre_activation completes successfully but activated output is false, causing activation and agent jobs to be skipped.

Root Cause

Upstream bug in gh-aw's check_membership.cjs (github/gh-aw#21098). When a GitHub App actor (e.g., Copilot) triggers the workflow, getCollaboratorPermissionLevel() returns a 404. The if (result.error) branch exits immediately — before the GH_AW_ALLOWED_BOTS fallback is ever evaluated. The bots: field compiles correctly but the runtime never checks it.

Fix

Add roles: all to skip the permission check entirely. With roles: all, the compiler sets needsRoleCheck = false and omits check_membership.cjs from the pre_activation job. The activated output defaults to true and the agent runs.

This is overly permissive (any actor can trigger the workflow) but is the only viable workaround until the upstream bug is fixed.

Previous Attempts (all merged, none fixed it)

  1. PR fix: allow Copilot reviewer bot to trigger review-responder and quality-gate #64 (issue Fix incorrect bots: placement from PR #64 #70) — Added bots: at top level + roles: all. Wrong: top-level bots: is silently ignored by the compiler. Ironically, the roles: all part would have worked, but we didn't understand why and reverted it in PR fix: correct bots: placement under on: for agent activation #65.
  2. PR fix: correct bots: placement under on: for agent activation #65 — Moved bots: under on: (correct placement), removed roles: all. Fixed the compilation but didn't fix activation because of the upstream bug.
  3. PR fix: add Copilot actor to bots list for agent activation #72 (issue bug: Copilot actor name mismatch blocks agent activation #73) — Added Copilot to the bots list (correct actor name). Irrelevant because check_membership.cjs never reaches the bot check.

Changes

Closes

Related

fix: use roles: all workaround for bot activation (gh-aw#21098)
f2a4b14 
check_membership.cjs has a bug where the error branch from a 404
(GitHub App actors are not users) exits before the bot allowlist
fallback is evaluated. This makes the bots: field ineffective.

Workaround: roles: all skips the permission check entirely so
check_membership.cjs is not included in pre_activation.

Previous attempts that didn't fix this:
- PR #64: bots: at top level (ignored by compiler)
- PR #65: bots: under on: (correct placement, but runtime bug)
- PR #72: added Copilot to bots list (correct actor, but bot check unreachable)

Tracked for removal when upstream is fixed: #74
Upstream bug: github/gh-aw#21098

Closes #75

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@microsasa microsasa added bug Something isn't working aw Created by agentic workflow labels Mar 15, 2026
Copilot AI review requested due to automatic review settings March 15, 2026 17:23
@microsasa microsasa added bug Something isn't working aw Created by agentic workflow labels Mar 15, 2026
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR works around an upstream bug in gh-aw's check_membership.cjs (gh-aw#21098) that prevents bot actors like Copilot from activating agent workflows. The roles: all directive skips the broken permission check entirely, allowing the workflows to activate.

Changes:

  • Added roles: all to review-responder.md and quality-gate.md frontmatter, and recompiled lock files (removing the pre_activation job and its references)
  • Updated docs/agentic-workflows.md to document the upstream bug, workaround, and investigation history
  • Updated docs/changelog.md with the workaround entry and a note on PR #72's insufficiency

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/review-responder.md Added roles: all to skip permission check
.github/workflows/quality-gate.md Added roles: all to skip permission check
.github/workflows/review-responder.lock.yml Recompiled: removed pre_activation job and its references
.github/workflows/quality-gate.lock.yml Recompiled: removed pre_activation job and its references
docs/agentic-workflows.md Documented upstream bug, workaround, updated pitfalls and debugging sections
docs/changelog.md Added workaround entry and retrospective note on PR #72

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@microsasa microsasa mentioned this pull request Mar 15, 2026
Closed
15 tasks
@microsasa microsasa merged commit ba9f586 into main Mar 15, 2026
9 checks passed
@microsasa microsasa deleted the fix/roles-all-workaround branch March 15, 2026 17:28
This was referenced Mar 15, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

aw Created by agentic workflow bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: agent workflows never activate on Copilot review events

2 participants

@microsasa