fix(shared/apm): drop stale STATUS banner; recompile lock files to v1.5.0#1026
Merged
danielmeppiel merged 1 commit intomainfrom Apr 28, 2026
Merged
fix(shared/apm): drop stale STATUS banner; recompile lock files to v1.5.0#1026danielmeppiel merged 1 commit intomainfrom
danielmeppiel merged 1 commit intomainfrom
Conversation
….5.0 The apps[] + matrix fan-out PR (#982) merged with a stale docstring header ('STATUS: blocked... does not produce a working agent run') and lock files that still pinned microsoft/apm-action@v1.4.2 with the old single-bundle restore path. apm-action v1.5.0 has shipped with the bundles-file: input the shared workflow now relies on; the workflow IS production-ready. Changes: - shared/apm.md: drop obsolete STATUS banner; replace with version header pointing at canonical source + apm-action pin so vendored copies can self-check freshness via head -3 - pr-review-panel.lock.yml + triage-panel.lock.yml: regenerated with gh aw compile -- now pin microsoft/apm-action@v1.5.0 (SHA 454b8a1d) and use bundles-file: matrix-aware restore path that #982 designed - agentics-maintenance.yml: SHA-pin tightening for github/gh-aw-actions (no behavior change) - docs/integrations/gh-aw.md: add 'Vendor the canonical shared/apm.md' callout explaining the local-file model and how to fetch the current version, with comparison cue for vendored copies Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the gh-aw integration surface to reflect microsoft/apm-action@v1.5.0 support (notably bundles-file:), removes a stale “blocked” banner from the shared workflow, and regenerates gh-aw compiled lock workflows to pin the new action SHA.
Changes:
- Remove the stale STATUS banner in
.github/workflows/shared/apm.mdand add a short “source of truth / pin” header. - Regenerate
pr-review-panel.lock.ymlandtriage-panel.lock.ymlto pinmicrosoft/apm-action@v1.5.0and switch to multi-bundle restore viabundles-file:. - Add a docs callout in
docs/src/content/docs/integrations/gh-aw.mdexplaining how to vendor the canonicalshared/apm.md, plus tighten a SHA pin inagentics-maintenance.ymland update.github/aw/actions-lock.json.
Show a summary per file
| File | Description |
|---|---|
| docs/src/content/docs/integrations/gh-aw.md | Adds guidance to vendor the canonical shared/apm.md and verify its header pins. |
| .github/workflows/shared/apm.md | Removes stale “blocked” banner; adds “source of truth” + action pin header and updates documentation link. |
| .github/workflows/pr-review-panel.lock.yml | Regenerated lock workflow to use apm-action@v1.5.0 and multi-bundle restore; introduces apm-prep matrix. |
| .github/workflows/triage-panel.lock.yml | Same as above for the triage panel workflow. |
| .github/workflows/agentics-maintenance.yml | Tightens setup-cli action reference to a SHA pin. |
| .github/aw/actions-lock.json | Adds/updates action entries to support the new pins used by regenerated lock workflows. |
Copilot's findings
- Files reviewed: 6/6 changed files
- Comments generated: 2
| AW_APM_LEGACY_OWNER: ${{ github.aw.import-inputs.owner }} | ||
| AW_APM_LEGACY_PRIVATE_KEY: ${{ github.aw.import-inputs.private-key }} | ||
| AW_APM_LEGACY_REPOS: ${{ github.aw.import-inputs.repositories }} | ||
| AW_APM_PACKAGES: "[microsoft/apm#main]" |
There was a problem hiding this comment.
AW_APM_PACKAGES is consumed as JSON via --argjson packages "$packages_json", but the value here ([microsoft/apm#main]) is not valid JSON and will cause the jq compute step to fail. Provide a valid JSON array string (e.g. ["microsoft/apm#main"]) or use the same ${{ github.aw.import-inputs.packages }} source as the canonical shared/apm.md.
Suggested change
| AW_APM_PACKAGES: "[microsoft/apm#main]" | |
| AW_APM_PACKAGES: "[\"microsoft/apm#main\"]" |
| AW_APM_LEGACY_OWNER: ${{ github.aw.import-inputs.owner }} | ||
| AW_APM_LEGACY_PRIVATE_KEY: ${{ github.aw.import-inputs.private-key }} | ||
| AW_APM_LEGACY_REPOS: ${{ github.aw.import-inputs.repositories }} | ||
| AW_APM_PACKAGES: "[microsoft/apm#main]" |
There was a problem hiding this comment.
AW_APM_PACKAGES is passed into jq with --argjson, so it must be valid JSON. The current value ([microsoft/apm#main]) is invalid JSON and will break apm-prep at runtime. Use a JSON array string (e.g. ["microsoft/apm#main"]) or wire this to ${{ github.aw.import-inputs.packages }} as in .github/workflows/shared/apm.md.
Suggested change
| AW_APM_PACKAGES: "[microsoft/apm#main]" | |
| AW_APM_PACKAGES: "[\"microsoft/apm#main\"]" |
danielmeppiel
added a commit
that referenced
this pull request
Apr 29, 2026
PR #982 added a Compute APM credential-group matrix step that feeds `${{ github.aw.import-inputs.packages }}` to `jq --argjson`. gh-aw substitutes that template at compile time using Go's default slice formatter, which emits `[microsoft/apm#main]` (space-separated, no quotes) instead of valid JSON `["microsoft/apm#main"]`. jq rejects the malformed input and apm-prep fails, blocking every PR run of the review panel and every triage-panel labelled issue. The bug shipped latent in #982 (locks not regenerated) and surfaced in #1026 when the locks were recompiled. Pinning gh-aw does not help: the same compiler version (v0.68.3) produced both shapes -- the difference was the new compute step that started routing the substituted value through `--argjson`. Fix: add a small Bash+Python repair_string_array helper in shared/apm.md that detects malformed Go-slice strings and rewrites them as JSON before they reach jq. Already-valid JSON and 'null' pass through untouched. apps[] (object arrays) is not repairable this way -- consumers must use the legacy single-app inputs until upstream gh-aw exposes a JSON-encoding helper for import-inputs (paper-cut filed upstream). - shared/apm.md: add repair_string_array helper for AW_APM_PACKAGES - pr-review-panel.lock.yml + triage-panel.lock.yml: recompile Verified locally with the live shared/apm.md run-block against four inputs ([single], [multi space-separated], null, already-valid JSON); all produce a correctly-typed matrix.group.packages array. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
danielmeppiel
pushed a commit
that referenced
this pull request
Apr 29, 2026
Promotes [Unreleased] -> [0.11.0] - 2026-04-29 and bumps pyproject.toml + uv.lock to 0.11.0. Version-bump rationale: 0.11.0 (minor bump) chosen over 0.10.1 because this release ships one BREAKING removal (`apm marketplace build` -> exits 2, use `apm pack`) plus several net-new features (Dev Container Feature, Codex project-scoped MCP, `marketplace:` block in apm.yml, `apm pack` unification, multi-org `apps[]`). Strict semver in 0.x: minor for features-with-break, patch only for bugfixes. Milestone admin (done out-of-band): - Renamed milestone #8 `0.10.1` -> `0.11.0` - Created milestone #9 `0.12.0` as next-up bucket - Moved 43 open items (42 issues + 1 open PR #999) from `0.11.0` -> `0.12.0` - 6 closed items stay in `0.11.0` PRs shipping in 0.11.0 (22 commits since v0.10.0): User-facing features: - #1042/#722 `apm pack` unifies bundle + marketplace.json (BREAKING: `apm marketplace build` removed) - #1038 `marketplace:` block in apm.yml + `apm marketplace migrate` - #803 /#502 Codex project-scoped MCP (`.codex/config.toml`) + user-scope primitives - #861 Dev Container Feature `ghcr.io/microsoft/apm/apm-cli` - #982/#984 shared/apm.md `apps:` array for cross-org private packages - #820 `target:` in apm.yml validates at parse time - #1032 `apm marketplace add` honors manifest.name (Claude Code parity) - #1000/#998/#994 unified `--policy` / `--policy-source` accepted forms User-facing fixes: - #1015 ADO Entra ID auth + `apm install --update` pre-flight abort - #1019/#1020 GEMINI.md only created when target requested - #1008 marketplace producer respects GITHUB_HOST + multi-host URL forms - #1018 POSIX paths in auto-discovery output (Windows compat) - #996 drop stray 'specify' from generated file footer Maintainer tooling: - #1043 NOTICE.md per CELA template - #1045/#1044 NOTICE drift gate + license-policy gate in CI - #1033 shared/apm.md `[a b]` import-input repair (gh-aw#29076 paper-cut) - #1030 panel workflows skip-don't-fail on unmatched labels; gh-aw v0.71.1 - #1026 shared/apm.md recompiled to apm-action v1.5.0 + bundles-file - #1022 review-panel: true fan-out + binary verdict + label automation - #918 complexity audit + benchmarks suite - #1002 CodeQL clear-text-storage false-positive resolved (token -> placeholder) Files changed: - pyproject.toml: 0.10.0 -> 0.11.0 - uv.lock: regenerated (version field only) - CHANGELOG.md: [Unreleased] promoted to [0.11.0] - 2026-04-29 NOTICE drift check passes against the bumped lockfile. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
danielmeppiel
pushed a commit
that referenced
this pull request
Apr 29, 2026
Promotes [Unreleased] -> [0.11.0] - 2026-04-29 and bumps pyproject.toml + uv.lock to 0.11.0. Version-bump rationale: 0.11.0 (minor bump) chosen over 0.10.1 because this release ships one BREAKING removal (`apm marketplace build` -> exits 2, use `apm pack`) plus several net-new features (Dev Container Feature, Codex project-scoped MCP, `marketplace:` block in apm.yml, `apm pack` unification, multi-org `apps[]`). Strict semver in 0.x: minor for features-with-break, patch only for bugfixes. Milestone admin (done out-of-band): - Renamed milestone #8 `0.10.1` -> `0.11.0` - Created milestone #9 `0.12.0` as next-up bucket - Moved 43 open items (42 issues + 1 open PR #999) from `0.11.0` -> `0.12.0` - 6 closed items stay in `0.11.0` PRs shipping in 0.11.0 (22 commits since v0.10.0): User-facing features: - #1042/#722 `apm pack` unifies bundle + marketplace.json (BREAKING: `apm marketplace build` removed) - #1038 `marketplace:` block in apm.yml + `apm marketplace migrate` - #803 /#502 Codex project-scoped MCP (`.codex/config.toml`) + user-scope primitives - #861 Dev Container Feature `ghcr.io/microsoft/apm/apm-cli` - #982/#984 shared/apm.md `apps:` array for cross-org private packages - #820 `target:` in apm.yml validates at parse time - #1032 `apm marketplace add` honors manifest.name (Claude Code parity) - #1000/#998/#994 unified `--policy` / `--policy-source` accepted forms User-facing fixes: - #1015 ADO Entra ID auth + `apm install --update` pre-flight abort - #1019/#1020 GEMINI.md only created when target requested - #1008 marketplace producer respects GITHUB_HOST + multi-host URL forms - #1018 POSIX paths in auto-discovery output (Windows compat) - #996 drop stray 'specify' from generated file footer Maintainer tooling: - #1043 NOTICE.md per CELA template - #1045/#1044 NOTICE drift gate + license-policy gate in CI - #1033 shared/apm.md `[a b]` import-input repair (gh-aw#29076 paper-cut) - #1030 panel workflows skip-don't-fail on unmatched labels; gh-aw v0.71.1 - #1026 shared/apm.md recompiled to apm-action v1.5.0 + bundles-file - #1022 review-panel: true fan-out + binary verdict + label automation - #918 complexity audit + benchmarks suite - #1002 CodeQL clear-text-storage false-positive resolved (token -> placeholder) Files changed: - pyproject.toml: 0.10.0 -> 0.11.0 - uv.lock: regenerated (version field only) - CHANGELOG.md: [Unreleased] promoted to [0.11.0] - 2026-04-29 NOTICE drift check passes against the bumped lockfile. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
danielmeppiel
added a commit
that referenced
this pull request
Apr 29, 2026
* chore(release): cut 0.11.0 Promotes [Unreleased] -> [0.11.0] - 2026-04-29 and bumps pyproject.toml + uv.lock to 0.11.0. Version-bump rationale: 0.11.0 (minor bump) chosen over 0.10.1 because this release ships one BREAKING removal (`apm marketplace build` -> exits 2, use `apm pack`) plus several net-new features (Dev Container Feature, Codex project-scoped MCP, `marketplace:` block in apm.yml, `apm pack` unification, multi-org `apps[]`). Strict semver in 0.x: minor for features-with-break, patch only for bugfixes. Milestone admin (done out-of-band): - Renamed milestone #8 `0.10.1` -> `0.11.0` - Created milestone #9 `0.12.0` as next-up bucket - Moved 43 open items (42 issues + 1 open PR #999) from `0.11.0` -> `0.12.0` - 6 closed items stay in `0.11.0` PRs shipping in 0.11.0 (22 commits since v0.10.0): User-facing features: - #1042/#722 `apm pack` unifies bundle + marketplace.json (BREAKING: `apm marketplace build` removed) - #1038 `marketplace:` block in apm.yml + `apm marketplace migrate` - #803 /#502 Codex project-scoped MCP (`.codex/config.toml`) + user-scope primitives - #861 Dev Container Feature `ghcr.io/microsoft/apm/apm-cli` - #982/#984 shared/apm.md `apps:` array for cross-org private packages - #820 `target:` in apm.yml validates at parse time - #1032 `apm marketplace add` honors manifest.name (Claude Code parity) - #1000/#998/#994 unified `--policy` / `--policy-source` accepted forms User-facing fixes: - #1015 ADO Entra ID auth + `apm install --update` pre-flight abort - #1019/#1020 GEMINI.md only created when target requested - #1008 marketplace producer respects GITHUB_HOST + multi-host URL forms - #1018 POSIX paths in auto-discovery output (Windows compat) - #996 drop stray 'specify' from generated file footer Maintainer tooling: - #1043 NOTICE.md per CELA template - #1045/#1044 NOTICE drift gate + license-policy gate in CI - #1033 shared/apm.md `[a b]` import-input repair (gh-aw#29076 paper-cut) - #1030 panel workflows skip-don't-fail on unmatched labels; gh-aw v0.71.1 - #1026 shared/apm.md recompiled to apm-action v1.5.0 + bundles-file - #1022 review-panel: true fan-out + binary verdict + label automation - #918 complexity audit + benchmarks suite - #1002 CodeQL clear-text-storage false-positive resolved (token -> placeholder) Files changed: - pyproject.toml: 0.10.0 -> 0.11.0 - uv.lock: regenerated (version field only) - CHANGELOG.md: [Unreleased] promoted to [0.11.0] - 2026-04-29 NOTICE drift check passes against the bumped lockfile. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(changelog): tighten 0.11.0 entries to lead with user impact Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(changelog): move Dev Container Feature to Maintainer tooling (not yet published) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(changelog): de-dupe within 0.11.0 (combine #722 Removed bullets, drop #820 Fixed pointer) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
apm-action v1.5.0 shipped (#984 → microsoft/apm-action#30) with the
bundles-file:input that #982's matrix fan-out depends on. PR #982 merged correctly in source but left two artifacts stale:shared/apm.mdcarried aSTATUS: blockeddocstring saying "this workflow does not produce a working agent run; the diff is for design review only." The body has since been wired to v1.5.0 +bundles-file:for real, but the banner was never updated. Anyone readinghead -20 shared/apm.mdtoday gets misleading info.pr-review-panel.lock.yml+triage-panel.lock.ymlwere not regenerated, so they still SHA-pinmicrosoft/apm-action@v1.4.2with the old single-bundle:restore. Runtime executes v1.4.2 logic against a workflow source that says v1.5.0. This is a real drift, not cosmetic.What this PR does
shared/apm.md.head -3s the file now knows whether their copy is current.gh aw compile. Bothpr-review-panel.lock.ymlandtriage-panel.lock.ymlnow pinapm-action@454b8a1d(v1.5.0) and use the new matrix-aware restore (apm-prep job, multi-bundle download, bundles-file build, validation against expected matrix).agentics-maintenance.ymlgot SHA pin tightening only — no behavior change.integrations/gh-aw.md("Vendor the canonicalshared/apm.md") explainingshared/apm.mdis a local file with two competing copies in the wild, with acurlcommand to fetch the canonical microsoft/apm version. This is the user-facing surface we own regardless of what gh-aw does upstream.Why now
The next gh-aw panel run on a labelled PR/issue would have used the v1.4.2 SHA (because that's what the lock file pinned), masking the v1.5.0 capabilities #982 was supposed to enable. Catching this BEFORE we tell the world about v1.5.0 / before any external user finds the apparent contradiction.
Validation
gh aw compileclean (1 unrelated warning aboutpush-to-pull-request-branchtarget).microsoft/apm-action@454b8a1d279376a47df8bb8d525ec076ca0fcef7 # v1.5.0.Restore APM packages (all bundles)step in both lock files now usesbundles-file: /tmp/gh-aw/apm-bundle-list.txtinstead of the old singlebundle:parameter.pr-review-panel.lock.ymlagainst itself (eats own dogfood).Out of scope
github/gh-aw/.github/workflows/shared/apm.mdis still pinned to v1.4.2 with the deprecateddependencies:shape). Tracking separately — talk-first, then issue.