From 47b5cd80cfe9a3a8b6a4cfc02aa0ecfb4548abd2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Feb 2026 22:12:16 +0000
Subject: [PATCH 1/2] Initial plan


From bf5d27442804a7b421e16b9704a6ebaa632ad3bb Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Feb 2026 22:21:15 +0000
Subject: [PATCH 2/2] feat: scope security-review cache-memory to individual
 PRs using key field
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The original attempt used id: which mounts at a different folder path
(/tmp/gh-aw/cache-memory-{id}/) while the prompt references files at
/tmp/gh-aw/cache-memory/ — causing memory lookups to fail.

The correct approach is key: which keeps the mount at /tmp/gh-aw/cache-memory/
but scopes the GitHub Actions cache to the specific PR number. Per gh-aw docs,
custom keys auto-append -RUN_ID, and progressive restore tries the same-PR
prefix first before falling back to any previous security review cache.

Co-authored-by: pmalarme <686568+pmalarme@users.noreply.github.com>
---
 .github/workflows/security-review.lock.yml | 9 ++++++---
 .github/workflows/security-review.md       | 3 ++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml
index 0b39007..e3d2142 100644
--- a/.github/workflows/security-review.lock.yml
+++ b/.github/workflows/security-review.lock.yml
@@ -289,10 +289,13 @@ jobs:
       - name: Restore cache-memory file share data
         uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
-          key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
+          key: security-review-pr-${{ github.event.pull_request.number }}-${{ github.run_id }}
           path: /tmp/gh-aw/cache-memory
           restore-keys: |
-            memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-
+            security-review-pr-${{ github.event.pull_request.number }}-
+            security-review-pr-
+            security-review-
+            security-
       - name: Configure Git credentials
         env:
           REPO_NAME: ${{ github.repository }}
@@ -1175,5 +1178,5 @@ jobs:
       - name: Save cache-memory to cache (default)
         uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
-          key: memory-${{ env.GH_AW_WORKFLOW_ID_SANITIZED }}-${{ github.run_id }}
+          key: security-review-pr-${{ github.event.pull_request.number }}-${{ github.run_id }}
           path: /tmp/gh-aw/cache-memory
diff --git a/.github/workflows/security-review.md b/.github/workflows/security-review.md
index 41f6529..f455065 100644
--- a/.github/workflows/security-review.md
+++ b/.github/workflows/security-review.md
@@ -15,7 +15,8 @@ engine:
   agent: security-reviewer
 
 tools:
-  cache-memory: true
+  cache-memory:
+    key: "security-review-pr-${{ github.event.pull_request.number }}"
   github:
     toolsets: [repos, pull_requests]