Skip to content

fix: dedicated upload_code_scanning_sarif job with SARIF artifact transfer, direct checkout token computation, and github-app checkout support#24322

Merged
pelikhan merged 15 commits intomainfrom
copilot/add-sarif-upload-git-commit-references
Apr 3, 2026
Merged

fix: dedicated upload_code_scanning_sarif job with SARIF artifact transfer, direct checkout token computation, and github-app checkout support#24322
pelikhan merged 15 commits intomainfrom
copilot/add-sarif-upload-git-commit-references

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 3, 2026
edited by github-actions bot
Loading

github/codeql-action/upload-sarif fails with "commit not found" when the safe_outputs job has checked out a different branch for PR operations (e.g., the base branch), because the local HEAD no longer matches the triggering commit. Additionally, the SARIF file generated in safe_outputs is not available in the separate upload job's fresh workspace.

Changes

  • Dedicated upload_code_scanning_sarif job: The SARIF restore checkout and upload are moved out of the consolidated safe_outputs job into their own separate job. This prevents the workspace checkout swap (needed to restore HEAD to github.sha) from interfering with other safe-output operations running in safe_outputs (e.g., create-pull-request, push-to-pull-request-branch)
    • needs: [safe_outputs]
    • if: needs.safe_outputs.outputs.sarif_file != '' — only runs when there is work to do
    • permissions: contents: read, security-events: write
  • SARIF artifact upload in safe_outputs: After process_safe_outputs runs, the SARIF file is uploaded as a GitHub Actions artifact (code-scanning-sarif, retention-days: 1), conditional on sarif_file != ''. This is required because the upload job runs in a fresh workspace and cannot access files from the safe_outputs workspace via job-output path strings alone.
  • SARIF artifact download in upload_code_scanning_sarif: The upload job downloads the code-scanning-sarif artifact to /tmp/gh-aw/sarif/ and passes the local path directly to github/codeql-action/upload-sarif.
  • Direct checkout token computation in upload_code_scanning_sarif: The token is computed directly inside buildCodeScanningUploadJob rather than passing it through safe_outputs job outputs — GitHub Actions silently masks job outputs that contain secret references, causing the downstream job to receive an empty string and fail with "Input required and not supplied: token".
  • checkout: github-app: support in the upload job: When the default checkout is configured with a GitHub App, buildCodeScanningUploadJob mints a fresh token (step ID checkout-restore-app-token) at the top of the upload job using buildGitHubAppTokenMintStep. The activation/safe_outputs app tokens have expired by this point, so a new token must be minted. The minted token (${{ steps.checkout-restore-app-token.outputs.token }}) is used for both the restore-checkout step and the upload-sarif token input.
  • checkout: github-token: support in the upload job: When the default checkout is configured with a static PAT, computeStaticCheckoutToken picks it up from CheckoutManager and uses it directly.
  • sarif_file job output on safe_outputs so the new job can gate on needs.safe_outputs.outputs.sarif_file != ''.
  • Restore checkout step in the new job: uses actions/checkout with the computed token (static PAT, minted app token, or default) to restore the workspace to the triggering commit before SARIF upload.
  • Explicit ref/sha inputs on upload-sarif: pins the upload to the correct commit/ref regardless of local git state.
  • smoke-claude.md updated: Added create-code-scanning-alert: driver: "Smoke Claude" safe output and a new test step (Weekly Research Report: AI Workflow Automation Landscape and Strategic Opportunities - August 2025 #12) that posts a dummy warning code scanning alert to exercise the full SARIF artifact upload/download pipeline. Fixed push-to-pull-request-branch allowed-files to use smoke-test-files/smoke-claude-push-test.md instead of .github/smoke-claude-push-test.md — the .github/ prefix is in protected_path_prefixes so the old path caused safe_outputs to fail.
# safe_outputs job (excerpt)
- name: Upload SARIF artifact
  if: steps.process_safe_outputs.outputs.sarif_file != ''
  uses: actions/upload-artifact@...
  with:
    name: code-scanning-sarif
    path: ${{ steps.process_safe_outputs.outputs.sarif_file }}
    if-no-files-found: error
    retention-days: 1

# upload_code_scanning_sarif job (github-app checkout example)
upload_code_scanning_sarif:
  needs: safe_outputs
  if: needs.safe_outputs.outputs.sarif_file != ''
  permissions:
    contents: read
    security-events: write
  steps:
    - name: Generate GitHub App token   # only when checkout: github-app: is configured
      id: checkout-restore-app-token
      uses: actions/create-github-app-token@...
      with:
        app-id: ${{ vars.APP_ID }}
        private-key: ${{ secrets.APP_PRIVATE_KEY }}
        ...
    - name: Restore checkout to triggering commit
      uses: actions/checkout@...
      with:
        ref: ${{ github.sha }}
        token: ${{ steps.checkout-restore-app-token.outputs.token }}
        persist-credentials: false
        fetch-depth: 1
    - name: Download SARIF artifact
      uses: actions/download-artifact@...
      with:
        name: code-scanning-sarif
        path: /tmp/gh-aw/sarif/
    - name: Upload SARIF to GitHub Code Scanning
      id: upload_code_scanning_sarif
      uses: github/codeql-action/upload-sarif@...
      with:
        token: ${{ steps.checkout-restore-app-token.outputs.token }}
        sarif_file: /tmp/gh-aw/sarif/code-scanning-alert.sarif
        ref: ${{ github.ref }}
        sha: ${{ github.sha }}
        wait-for-processing: true

These fixes are now baked into the compiler so gh aw compile generates them automatically — no more manual lock file patching after every recompile.

✨ PR Review Safe Output Test - Run 23960187828

💥 [THE END] — Illustrated by Smoke Claude · ● 373.1K ·

Copilot AI linked an issue Apr 3, 2026 that may be closed by this pull request
SARIF upload requires additional git commit references #23940
Closed
@pelikhan
fix: add git checkout and ref/sha inputs to SARIF upload step
af42122 
The github/codeql-action/upload-sarif action requires the local git HEAD to
match the commit being scanned. When the agent job checks out a different
branch (e.g., when creating a PR), the upload fails with "commit not found".

Two fixes are applied to buildUploadCodeScanningSARIFStep:
1. Add a "Reset git HEAD to triggering commit for SARIF upload" step that runs
   `git checkout ${{ github.sha }}` before the upload, ensuring the local HEAD
   matches the triggering commit.
2. Add `ref: ${{ github.ref }}` and `sha: ${{ github.sha }}` inputs to the
   upload-sarif action, explicitly associating the SARIF results with the
   correct triggering commit/ref.

Both the reset step and the upload step are conditional on
`steps.process_safe_outputs.outputs.sarif_file != ''`.

Tests are updated to verify the new step and inputs are present.

Fixes #<issue>

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/d5cc43c1-ee6d-4fb2-a8f0-5bdd1b6840a3

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add additional git commit references for SARIF upload fix: add git HEAD reset and explicit ref/sha to SARIF upload step Apr 3, 2026
Copilot AI requested a review from pelikhan April 3, 2026 14:25
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 3, 2026

@copilot use the information in the checkout manager to restore the current checkout

@pelikhan
fix: use actions/checkout with checkout manager token for SARIF restore
b4df5c8 
Instead of a raw `git checkout ${{ github.sha }}` command, use a proper
`actions/checkout` step that leverages the checkout manager's information
(user-configured checkout token from frontmatter) to restore the workspace
to the triggering commit before SARIF upload.

The new `resolveRestoreCheckoutToken` method consults the checkout manager
for the user's configured checkout token (checkout: github-token: ...) and
falls back to the PR checkout token chain if no override is present.

This ensures credentials are handled consistently with the rest of the
safe_outputs job and works correctly even without a prior PR checkout.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/5ebfad75-31de-4db1-bb25-505c7ba62c67

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 3, 2026

@copilot use the information in the checkout manager to restore the current checkout

Done in b4df5c8. Replaced the raw git checkout ${{ github.sha }} with a proper actions/checkout step. A new resolveRestoreCheckoutToken helper consults the CheckoutManager (built from data.CheckoutConfigs) for the user's configured checkout: github-token: first, then falls back to the PR checkout token chain, then default. This keeps credential handling consistent with the rest of the safe_outputs job.

Copilot AI changed the title fix: add git HEAD reset and explicit ref/sha to SARIF upload step fix: add actions/checkout restore and explicit ref/sha to SARIF upload step Apr 3, 2026
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 3, 2026

@copilot move create code scanning alerts in own job to avoid interfering with other safe_jobs.

needs safe_outputs and if only there is work to do

@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 3, 2026

@copilot merge main and update checkout secret from outputs

Copilot AI and others added 2 commits April 3, 2026 15:01
@pelikhan
chore: initial plan for code scanning job separation
a78b257 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/5d63b40a-5b47-473d-80ed-f5d7ee0de07d

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
feat: move SARIF upload into dedicated upload_code_scanning_sarif job
c56d31f 
The SARIF restore checkout and upload steps are moved out of the consolidated
safe_outputs job into a dedicated upload_code_scanning_sarif job that:
- needs: [safe_outputs]
- if: needs.safe_outputs.outputs.sarif_file != '' (only runs when there is work)
- permissions: contents:read, security-events:write

This avoids the repo checkout (needed to restore HEAD to github.sha) from
interfering with other safe-output operations (create-pull-request,
push-to-pull-request-branch, etc.) that also modify the workspace checkout
in the consolidated safe_outputs job.

The safe_outputs job still exports sarif_file so the new job can gate on it.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/5d63b40a-5b47-473d-80ed-f5d7ee0de07d

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 3, 2026
edited
Loading

@copilot move create code scanning alerts in own job to avoid interfering with other safe_jobs.

needs safe_outputs and if only there is work to do...

Done in c56d31f. The SARIF restore checkout and upload are now in a dedicated upload_code_scanning_sarif job that:

  • needs: [safe_outputs]
  • if: needs.safe_outputs.outputs.sarif_file != '' — only runs when there's work to do
  • permissions: contents:read, security-events:write

The safe_outputs job still exports sarif_file (from steps.process_safe_outputs.outputs.sarif_file) so the gate condition works. This keeps the checkout-swapping operations isolated from the rest of the safe-output steps.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ger.test git rev-�� --show-toplevel ger.test /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw git /usr/bin/git /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git agent-performancgit git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw git /usr/bin/git git rev-�� --show-toplevel git 1/x64/bin/node --show-toplevel x_amd64/vet /usr/bin/git git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel bash /usr/bin/git --noprofile stmain.go ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/link /usr/bin/git 8341829/b454/scr/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link git-upload-pack -o 8341829/b454/imp/tmp/go-build4072487313/b395/constants.test git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/archie.md go /usr/bin/git ub/workflows GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /tmp/gh-aw-test-runs/20260403-151007-34767/test-1767925604 rev-parse /usr/bin/git @{u} --jq /usr/bin/git git rev-�� --show-toplevel t /usr/bin/git y-test.md git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -bool (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /tmp/go-build4072487313/b401/fileutil.test -importcfg /tmp/go-build4072487313/b418/repoutil.test -s -w -buildmode=exe /tmp/go-build4072487313/b418/repoutil.test -tes�� -test.timeout=10m0s -test.count=1 /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 38/001/test-inlined-imports-enabled-with-body-content.md GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git faultBranchFromLgit faultBranchFromLrev-parse epo.git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel /tmp/go-build1048341829/b424/_testmain.go /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /repos/actions/github-script/git/ref/tags/v8 --jq /usr/bin/git /tmp/go-build310git -trimpath 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git ace-editor.md GO111MODULE sh git rev-�� --show-toplevel go /usr/bin/git -json stmain.go 1/x64/bin/node git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build1048341829/b430/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil_test.go -c k/gh-aw/gh-aw/pk-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-tests (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha WkAN/IZJq-3bhyJZGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 6313734/b422/imp-trimpath -c che/go-build/ab/-p GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcgit-upload-pack &#39;/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitbranch_with_hyphen2349903892/001&#39; (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -unreachable=false /tmp/go-build1048341829/b113/vet.cfg /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp/go-build310git -trimpath 64/bin/go node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-persona-explorer.md go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha uts.branch git /usr/bin/git --show-toplevel gh /usr/bin/git git add test.txt git /usr/bin/git --show-toplevel node /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git assword=$GITHUB_git assword=$GITHUB_rev-parse /usr/bin/git git rev-�� HEAD git 1/x64/bin/node --show-toplevel git /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel -dwarf=false /usr/bin/git go1.25.0 -c=4 -nolocalimports git init�� -pack /tmp/go-build1048341829/b437/_testmain.go /usr/bin/git Gitbranch_with_hgit Gitbranch_with_hrev-parse 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git conf�� user.name Test User /usr/bin/git y-frontmatter.mdgit git /opt/hostedtoolc--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel node /usr/bin/git git comm�� -m Initial 1/x64/bin/node --show-toplevel x_amd64/link /usr/bin/git git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel ache/node/24.14.1/x64/bin/node 1/x64/bin/node .repository }}, bash git /usr/bin/git git cjs --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git git _out�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /tmp/TestCompileErrorFormatting2060143651/001 rev-parse /usr/bin/git -mod=readonly -e 64/bin/go git rese�� HEAD .github/workflows/test.md /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git ache/node/24.14.1/x64/bin/node --show-toplevel git /usr/bin/git ache/node/24.14.1/x64/bin/node s-21�� b.actor }}, Repo: ${{ github.repository }} git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha licyBlockedUsersApprovalLabelsCompiledOutput3585445689/001 GO111MODULE /usr/bin/make GOINSECURE GOMOD GOMODCACHE make test�� GOPATH GOPROXY 1/x64/bin/node GOSUMDB GOWORK 64/bin/go 1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /proc/self/fd/9 --show-toplevel go /usr/bin/git /usr/lib/systemd/systemd-executor --de�� k/gh-aw/gh-aw/.github/workflows --log-level /usr/bin/git ntent.md journal-or-kmsg /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 0710-29463/test-4279514405 GO111MODULE 8341829/b428/_pkg_.a l GOMOD GOMODCACHE bash --no�� --noprofile GOPROXY 1/x64/bin/node GOSUMDB GOWORK 64/bin/go 1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha sistency_GoAndJavaScript3949949823/001/test-frontmatter-with-nested-objects.md git /usr/bin/find --show-toplevel go n-dir/node find /pro�� k/gh-aw/gh-aw/.github/workflows -lname /usr/lib/git-core/git-upload-pack -exec touch -c git-upload-pack (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2964806100/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git es --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 git ortcfg.link --show-toplevel go /usr/bin/git D1lWEcyjNX6sf4U5_0/mCTHgOgtaCf7iQExit-m/6Ebjl_hBj3NmIzfr0AC9 rev-�� auto-triage-issues.md git g_.a --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 748957635/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 DefaultBranchFromLsRemoteWithRealGitmain_branch2979612907/001&#39; ceutil.test --show-toplevel go /usr/bin/git ceutil.test rev-�� auto-triage-issues.md git iptables --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2964806100/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git iptables --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 gh 64/pkg/tool/linux_amd64/vet /repos/actions/cgit --jq /usr/bin/git 64/pkg/tool/linux_amd64/vet rev-�� --show-toplevel git ptables --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 infocmp /usr/bin/git 4 -type d -namegit go /usr/bin/git git rev-�� 1007-34767/test-2085954612/.github/workflows git 1/x64/bin/node --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOWORK 64/bin/go sh -c &#34;prettier&#34; --che-s sh 64/bin/go tierignore (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--verify git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git LsRemoteWithRealgit LsRemoteWithRealrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git rity3436978800/0git /usr/lib/git-corshow-ref 64/pkg/tool/linu--verify git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ility-kit.md GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel node /opt/hostedtoolc/tmp/TestGuardPolicyTrustedUsersRequiresMinIntegrity3436978800/001 git rev-�� ub/workflows &#39;origin&#39; /usr/bin/git /tmp/go-build104node -trimpath /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha &#34;prettier&#34; --che-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc--revs -V=f�� (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git /tmp/TestGuardPo/bin/sh config /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel node /opt/hostedtoolc/tmp/TestGuardPolicyTrustedUsersRequiresMinIntegrity3436978800/001 git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 6313734/b395/emb-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-tests -o /tmp/go-build3106313734/b349/_pkGOINSECURE -trimpath 64/bin/go -p github.com/githu-C -lang=go1.25 rPe-Sxv/qvF4S3-Fconfig (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha k/gh-aw/gh-aw/pk-errorsas k/gh-aw/gh-aw/pk-ifaceassert 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcdevelop -o /tmp/go-build3106313734/b409/_pkGOINSECURE -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha che/go-build/9d/-errorsas GOPROXY 64/bin/go iles use Prettie/bin/sh GOWORK 64/bin/go /opt/hostedtoolcgit-upload-pack &#39;/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch2030271289/001&#39; -o /tmp/go-build3106313734/b418/_pkGOINSECURE -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha k/gh-aw/gh-aw/pk-errorsas k/gh-aw/gh-aw/pk-ifaceassert 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-buildtags -o /tmp/go-build310-errorsas -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel git /usr/bin/git /tmp/TestGuardPo/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet config /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp-nilfunc --show-toplevel node /opt/hostedtoolc--get infocmp (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git ache/node/24.14.1/x64/bin/node --show-toplevel 64/pkg/tool/linu-C /usr/bin/git git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 8341829/b454/_teconfig /opt/hostedtoolcuser.name git rev-�� ub/workflows (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env y_only_defaults_repo3034247266/001 GO111MODULE 86_64/bash GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel x_amd64/link /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel EC/vKfaaJsUtRlxjrun /usr/bin/git git (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build4072487313/b401/importcfg -pack /tmp/go-build4072487313/b401/_testmain.go rev-�� --show-toplevel 1/x64/bin/node /usr/bin/git r-test4130180137git r-test4130180137rev-parse /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git 8341829/b434/sligit GOPROXY 1/x64/bin/node git rev-�� --show-toplevel 1/x64/bin/node /usr/bin/git ry=1 go ache/node/24.14.--show-toplevel git (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build1048341829/b396/cli.test /tmp/go-build1048341829/b396/cli.test -test.testlogfile=/tmp/go-build1048341829/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD erignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /tmp/go-build4072487313/b001/cli.test /tmp/go-build4072487313/b001/cli.test -test.paniconexit0 -test.timeout=10m0s -test.count=1 api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq /usr/bin/git licyBlockedUsersgit GO111MODULE /usr/bin/make git rev-�� --show-toplevel make /usr/bin/git p/TestGetNpmBinPgit GOPROXY 1/x64/bin/node git (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build1048341829/b396/importcfg -pack /tmp/go-build1048341829/b396/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name go1.25.0 (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title fix: add actions/checkout restore and explicit ref/sha to SARIF upload step fix: add actions/checkout restore, explicit ref/sha, and dedicated upload job for SARIF upload Apr 3, 2026
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 3, 2026

@copilot the sariff file needs to be uploaded in an artifact and downloaded in the sariff job

@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 3, 2026

@copilot update smoke-Claude to post a dummy warning code alert using the safe output

Copilot AI and others added 2 commits April 3, 2026 15:20
Merge remote-tracking branch 'origin/main' into copilot/add-sarif-upl…
26d2cbe 
…oad-git-commit-references

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
feat: merge main and use checkout_token from safe_outputs job outputs
46efb86 
- Merge origin/main (includes feat: bundle token usage, fix: wasm golden files)
- Add computeStaticCheckoutToken helper that computes a static checkout token
  (secret ref) without referencing any step output — safe to export as a job output
- Export checkout_token from safe_outputs job when create-code-scanning-alert
  is configured; the value is the static PAT or default GH_AW_GITHUB_TOKEN ||
  GITHUB_TOKEN (GitHub App tokens are excluded because they are minted and revoked
  in safe_outputs, so they would be invalid by the time the upload job runs)
- buildCodeScanningUploadJob now uses needs.safe_outputs.outputs.checkout_token
  for both the restore checkout step and addUploadSARIFToken, removing the
  broken step-output reference (${{ steps.safe-outputs-app-token.outputs.token }})
  that did not exist in the separate job context

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f1d25327-92dd-47a9-bbed-2121e981af50

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 3, 2026
edited
Loading

@copilot merge main and update checkout secret from outputs

Done in 46efb86.

Merged main — all 183 workflows recompiled cleanly.

Checkout token from outputs: safe_outputs now exports a checkout_token job output computed by a new computeStaticCheckoutToken helper. This helper returns a static secret reference (user-configured PAT → safe-outputs PAT → default GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) without any step-output references. GitHub App tokens are intentionally excluded: they are minted and revoked within safe_outputs, so they would be invalid by the time the downstream upload_code_scanning_sarif job runs.

The upload_code_scanning_sarif job now uses ${{ needs.safe_outputs.outputs.checkout_token }} for both the restore checkout step and the upload-sarif token: input.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE /bin/sh (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha ithub/workflows GO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithub/workflows l /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env aw/actions-lock.json ]; then \ cp .github/aw/actions-lock.json pkg/workflow/data/action_pins.jsgit GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE me: String!) { repository(owne-f GOINSECURE GOMOD ed } } go env ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha ithub/workflows GO111MODULE repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env ithub/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path node (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha run lint:cjs $name) { hasDiscussionsEnabled } } GOSUMDB GOWORK 64/bin/go sh -c &#34;prettier&#34; --cheGOSUMDB sh 64/bin/go &#34;prettier&#34; --wri/usr/bin/gh (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title fix: add actions/checkout restore, explicit ref/sha, and dedicated upload job for SARIF upload fix: dedicated upload_code_scanning_sarif job with checkout token from safe_outputs outputs Apr 3, 2026
@pelikhan pelikhan added the smoke label Apr 3, 2026
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 3, 2026

@copilot fix tests + ensure that the custom github-token, github-app for the checkout is support in the new job

@github-actions github-actions bot mentioned this pull request Apr 3, 2026
Closed
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 3, 2026
edited
Loading

@copilot fix tests + ensure that the custom github-token, github-app for the checkout is support in the new job

Done in e64db0e.

Tests fixed: Updated TestCreateCodeScanningAlertUploadJob to reflect the new token-computation approach — removed assertions checking for needs.safe_outputs.outputs.checkout_token (which gets masked by GitHub Actions) and added assertions verifying the static secret reference appears directly in the upload job steps.

github-app and github-token checkout support: buildCodeScanningUploadJob now checks CheckoutManager.GetDefaultCheckoutOverride() before computing the restore token:

  • checkout: github-app: → mints a fresh checkout-restore-app-token at the top of the upload job and uses ${{ steps.checkout-restore-app-token.outputs.token }} for both the restore checkout and the SARIF upload
  • checkout: github-token:computeStaticCheckoutToken picks up the configured PAT and uses it directly
  • No checkout override → falls back to GH_AW_GITHUB_TOKEN || GITHUB_TOKEN

Two new test cases added: checkout with github-app mints a fresh app token in the upload job and checkout with github-token PAT uses that PAT directly in upload job.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build1573163040/b063/embedcfg -pack /pre�� (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw util (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name 9964843/001&#39; 9964843/001&#39; 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha GOMODCACHE go /usr/bin/git ub/workflows GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha t0 -buildtags (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu--json env g_.a GO111MODULE x_amd64/vet GOINSECURE tants GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha download 12346 /usr/bin/git test-logs/run-12git GO111MODULE 64/bin/go git rev-�� --show-toplevel xvLX0kW/sVnmb7t6Test User /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ortcfg /usr/bin/git edcfg GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� .*/\1/p 64/pkg/tool/linux_amd64/link /usr/bin/git eutil.test &#39;/tmp/TestParserev-parse ortcfg.link git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha xterm-color /opt/hostedtoolcgit-upload-pack &#39;/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branchrev-parse /usr/bin/git /tmp/go-build444git -trimpath 64/bin/go git rev-�� --show-toplevel go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /repos/actions/github-script/git/ref/tags/v8 resolved$ /usr/bin/git /tmp/go-build444git -trimpath 64/bin/go git conf�� user.email test@example.com /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git OnlyCompiledOutpgit GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 8873347/b457/_pkgit GO111MODULE 1/x64/bin/node git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE npx (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha BmGf/z4scaMF7dR-GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD run-script/lib/n-bool 801917/b411/impo-buildtags /hom�� che/go-build/9b/-errorsas **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-test.paniconexit0 /opt/hostedtoolc-test.v=true (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2548873347/b430/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil_test.go /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti--bare go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel -extld=gcc /usr/bin/git /tmp/go-build444git -trimpath 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha b.actor }}, Repo: ${{ github.repository }} /opt/hostedtoolc--initial-branch=develop /usr/bin/git /tmp/go-build444git -trimpath 64/bin/go git rev-�� --show-toplevel d_nvXmt/GCHXPhKTMDTNS235mh1t /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility json&#39; --ignore-p-f --local ache/go/1.25.8/x-f gpg.program (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git conf�� --get remote.origin.url /usr/bin/git lGitbranch_with_git lGitbranch_with_rev-parse 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha licyBlockedUsersApprovalLabelsCompiledOutput3596507002/001 GO111MODULE 8873347/b431/semverutil.test GOINSECURE GOMOD GOMODCACHE 8873347/b431/semverutil.test e=/t�� t0 GOPROXY 1/x64/bin/node m0s GOWORK (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha licyMinIntegrityOnlyCompiledOutput322856065/001 GO111MODULE 8873347/b424/parser.test l GOMOD GOMODCACHE 8873347/b424/parser.test e=/t�� t0 GOPROXY 1/x64/bin/node m0s GOWORK (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2727239692/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE xvLX0kW/sVnmb7t6Test User env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2727239692/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2727239692/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env d GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2727239692/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 **/*.json --ignore-path git stat�� --porcelain docker 64/bin/go inspect ghcr.io/github/srev-parse 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linugit-upload-pack &#39;origin&#39; git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha che/go-build/bf/GOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go oudvXeb6ef4T -o /tmp/go-build444801917/b400/_pkgGOINSECURE -trimpath 64/bin/go -p github.com/githurev-parse -lang=go1.25 go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha k/gh-aw/gh-aw/pk-errorsas k/gh-aw/gh-aw/pk-ifaceassert 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcgit-receive-pack &#39;/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch3801197865/001&#39; -o /tmp/go-build444801917/b405/_pkgGOINSECURE -trimpath 64/bin/go -p github.com/githu-C -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha k/gh-aw/gh-aw/pk-errorsas k/gh-aw/gh-aw/pk-ifaceassert 64/bin/go --ignore-path ../../../.pretti-o 64/bin/go /opt/hostedtoolc-importcfg -o /tmp/go-build444-s -trimpath 64/bin/go -p github.com/githu-C -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha che/go-build/f9/-errorsas **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti. /opt/hostedtoolc-tests -o /tmp/go-build444801917/b419/_pkgGOINSECURE -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha k/gh-aw/gh-aw/pk-errorsas k/gh-aw/gh-aw/pk-ifaceassert 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc--auto -o /tmp/go-build444--detach -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha re --log-level=error cfg $name) { hasDiscussionsEnabled } } (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env b/workflows GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE WKKjjpb/pnOHWmOW0VPsKVyXPZlC env y_only_defaults_repo2620686991/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build2548873347/b396/cli.test /tmp/go-build2548873347/b396/cli.test -test.testlogfile=/tmp/go-build2548873347/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build2548873347/b396/importcfg -pack /tmp/go-build2548873347/b396/_testmain.go /opt�� run lint:cjs 64/bin/go GOSUMDB GOWORK 64/bin/go sh (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan added smoke and removed smoke labels Apr 3, 2026
Copilot AI changed the title fix: dedicated upload_code_scanning_sarif job with SARIF artifact transfer and direct checkout token computation fix: dedicated upload_code_scanning_sarif job with SARIF artifact transfer, direct checkout token computation, and github-app checkout support Apr 3, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions github-actions bot removed the smoke label Apr 3, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026
edited
Loading

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026
edited
Loading

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026
edited
Loading

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.53.0
jq 1.7
yq 4.52.5
curl 8.5.0
gh 2.89.0
node 20.20.2
python3 3.12.3
go 1.24.13
java 21.0.10 (OpenJDK Temurin)
dotnet 10.0.201

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ● 163K ·

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026

Smoke Test Results for run §23960187842

Test Status
GitHub MCP
MCP Scripts GH CLI
Serena MCP
Playwright
Web Fetch
File Writing
Bash Tool
Discussion Interaction
Build gh-aw
Discussion Creation
Workflow Dispatch
PR Review

Overall: ❌ FAIL — PR author: @Copilot, assignees: @pelikhan @Copilot

📰 BREAKING: Report filed by Smoke Copilot · ● 775.4K ·

@github-actions github-actions bot mentioned this pull request Apr 3, 2026
Open
github-actions[bot]
github-actions bot reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke test review of PR #24322: The dedicated upload_code_scanning_sarif job approach cleanly separates the SARIF artifact transfer from the safe_outputs job. New constants in pkg/constants/job_constants.go follow established patterns. ✅

📰 BREAKING: Report filed by Smoke Copilot · ● 775.4K

pkg/constants/job_constants.go
const DetectionJobName JobName = "detection"
const SafeOutputsJobName JobName = "safe_outputs"
const UploadAssetsJobName JobName = "upload_assets"
const UploadCodeScanningJobName JobName = "upload_code_scanning_sarif"
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean addition of the UploadCodeScanningJobName constant using the JobName semantic type — consistent with SafeOutputsJobName, UploadAssetsJobName, etc. The constant name accurately reflects the job purpose.

pkg/constants/job_constants.go
// downloads the SARIF artifact. The file will be available at this path + the SARIF
// filename ("code-scanning-alert.sarif") after actions/download-artifact completes.
const SarifArtifactDownloadPath = "/tmp/gh-aw/sarif/"

Copy link
Copy Markdown
Contributor

@github-actions github-actions bot Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice grouping of the three new SARIF-related constants (SarifArtifactName, SarifArtifactDownloadPath, SarifFileName). The documentation comments clearly explain the artifact transfer pipeline between safe_outputs and upload_code_scanning_sarif jobs.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026

Smoke Test 23960187828 — PARTIAL (17✅ 2⚠️ 0❌)

Core: 1✅ 2✅ 3✅ 4✅ 5✅ 6✅ 7✅ 8✅ 9✅ 10✅ 11✅ 12✅
PR Review: 13✅ 14✅ 15✅ 16⚠️ 17✅ 18✅ 19⚠️

💥 [THE END] — Illustrated by Smoke Claude · ● 373.1K ·

@github-actions github-actions bot mentioned this pull request Apr 3, 2026
Open
github-actions[bot]
github-actions bot reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude · ● 373.1K

.github/workflows/smoke-claude.lock.yml
# inlined-imports: true
#
# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"c8e85b0ffed195e6ee17c58abdbf3bbfcbd97a8f97be8d1041ee2fe72da2ce8b","agent_id":"claude"}
# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"21ff673e699d808782479870bf351cdbf8f6b95415b21decc3c7721a95f0e281","agent_id":"claude"}
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke test review comment #1 (Run 23960187828): The frontmatter hash update reflects the new create_code_scanning_alert safe-output tool addition — this is expected and correct.

.github/workflows/daily-malicious-code-scan.lock.yml
- activation
- agent
- safe_outputs
- upload_code_scanning_sarif
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke test review comment #2 (Run 23960187828): The upload_code_scanning_sarif job dependency is correctly added to the conclusion job's needs list — ensures SARIF upload completes before conclusion runs.

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Apr 3, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@pelikhan pelikhan merged commit a738a54 into main Apr 3, 2026
209 of 211 checks passed
@pelikhan pelikhan deleted the copilot/add-sarif-upload-git-commit-references branch April 3, 2026 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

smoke-claude smoke-copilot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SARIF upload requires additional git commit references

4 participants

@pelikhan @github-advanced-security