diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 0186abf923..c657032a00 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1208,7 +1208,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 6efae377ed..215b62300d 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1294,7 +1294,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 26ddbcbf2e..4bed62d0c7 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -1144,7 +1144,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 11dd6ff380..3137a1d86e 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1174,7 +1174,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 302396318b..dc3fc7a79b 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -1068,7 +1068,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index bff1106c2b..8b1594e11f 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1162,7 +1162,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 1c45cf8dc5..68c68005e6 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -1097,7 +1097,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index d80c1bc282..4eb630f78e 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1237,7 +1237,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index e7b751e334..ac74bd834e 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1311,7 +1311,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index e27e016204..19d4f55fb1 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1216,7 +1216,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml index 77d204c980..1c404160b1 100644 --- a/.github/workflows/daily-community-attribution.lock.yml +++ b/.github/workflows/daily-community-attribution.lock.yml @@ -1099,7 +1099,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index cdd7c52f4b..028fcafa8c 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1184,7 +1184,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 24e34a9e12..b2875b1b45 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1238,7 +1238,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index bcbb13860d..ea2e4bc3d2 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -1198,7 +1198,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 95c1f7aaa1..a39a364d3f 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1322,7 +1322,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 446aaf8eaf..fd82f72be3 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1112,7 +1112,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index f90203be3b..91771e6d27 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1429,7 +1429,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index cfcd88fedb..f7d8f662e4 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1101,7 +1101,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 4095e132d3..71872c4dea 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -1172,7 +1172,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index a5f52909e3..f804a295f3 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -1313,7 +1313,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 351f6908c4..d3b827cfdd 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -675,7 +675,7 @@ jobs: push_repo_memory: needs: agent - if: always() + if: always() && needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index dd3d4c17b8..3a479d23c3 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1094,7 +1094,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 0241fd69a7..86011bf333 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -1062,7 +1062,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index a4d68a20a6..e5c885a512 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1318,7 +1318,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml index 0fba4861f9..880e266f62 100644 --- a/.github/workflows/weekly-blog-post-writer.lock.yml +++ b/.github/workflows/weekly-blog-post-writer.lock.yml @@ -1301,7 +1301,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 0bc90bfddd..ec6656127f 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1162,7 +1162,9 @@ jobs: needs: - agent - detection - if: always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') + if: > + always() && (needs.detection.result == 'success' || needs.detection.result == 'skipped') && + needs.agent.result == 'success' runs-on: ubuntu-slim permissions: contents: write diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go index d8e49d3738..1f69dcebf3 100644 --- a/pkg/workflow/repo_memory.go +++ b/pkg/workflow/repo_memory.go @@ -734,16 +734,21 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna steps = append(steps, c.generateRestoreActionsSetupStep()) } - // Set job condition based on threat detection - // If threat detection is enabled, only run if detection passed - // Otherwise, always run (even if agent job failed) - jobCondition := "always()" - jobNeeds := []string{"agent"} + // Job condition: only run if the agent job succeeded (do not push repo memory when agent + // failed or was skipped). Using always() so the job still runs even when upstream jobs + // are skipped (e.g. detection is skipped when agent produces no outputs). + agentSucceeded := BuildEquals( + BuildPropertyAccess(fmt.Sprintf("needs.%s.result", constants.AgentJobName)), + BuildStringLiteral("success"), + ) + jobNeeds := []string{string(constants.AgentJobName)} + var jobCondition string if threatDetectionEnabled { - // When threat detection is enabled, run only if detection succeeded (no threats found) - // or was skipped (agent produced no outputs or patch — nothing to detect against). - jobCondition = RenderCondition(BuildAnd(BuildFunctionCall("always"), buildDetectionPassedCondition())) + // When threat detection is enabled, also require detection passed (succeeded or skipped). + jobCondition = RenderCondition(BuildAnd(BuildAnd(BuildFunctionCall("always"), buildDetectionPassedCondition()), agentSucceeded)) jobNeeds = append(jobNeeds, string(constants.DetectionJobName)) + } else { + jobCondition = RenderCondition(BuildAnd(BuildFunctionCall("always"), agentSucceeded)) } // Build outputs map for validation failures from all memory steps