fix: restore actions/setup after cross-repo checkout in safe_outputs job by Copilot · Pull Request #23587 · github/gh-aw

Copilot · 2026-03-30T20:53:57Z

In dev mode, safe_outputs jobs use ./actions/setup (a workspace-relative local path). When create_pull_request or push_to_pull_request_branch is configured, the job checks out the target repo (e.g. githubnext/gh-aw-side-repo), replacing the workspace and removing actions/setup. The runner's automatic post-step for "Setup Scripts" then fails: "Can't find 'action.yml', 'action.yaml' or 'Dockerfile' under .../actions/setup". This broke schedule runs for Smoke Update/Create Cross-Repo PR while PR-triggered runs succeeded (no checkout fired when agent produced no patch output).

Changes

compiler_yaml_helpers.go — Extracts generateRestoreActionsSetupStep() as a shared helper that emits a sparse actions/checkout of actions/setup from github/gh-aw with if: always().
repo_memory.go — Replaces the inline restore step block with a call to the new helper (no behavior change).
compiler_safe_outputs_job.go — Appends the restore step as the final step of the safe_outputs job when c.actionMode.IsDev() && usesPatchesAndCheckouts(data.SafeOutputs), mirroring the existing fix already applied to the push_repo_memory job.

The restore step added to both jobs looks like:

- name: Restore actions folder
  if: always()
  uses: actions/checkout@<pinned-sha>
  with:
    repository: github/gh-aw
    sparse-checkout: |
      actions/setup
    sparse-checkout-cone-mode: true
    persist-credentials: false

62 workflow lock files are updated; workflows with both push_repo_memory and PR-checkout safe outputs now carry the restore step in both jobs.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw description,rele-atomic (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ing-sanitization-atomic l-entity-mention-bool hub-actions-secu-buildtags nt-s�� ../pkg/workflow/-errorsas low.md x_amd64/vet ine-architecture/usr/bin/gh e-output-messageapi hub-mcp-access-cgraphql x_amd64/vet (http block)
https://api.github.com/orgs/test-owner/actions/secrets
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build472158546/b234/importcfg -embedcfg /tmp/go-build472158546/b234/embedcfg -o /tmp/go-build417-p -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro-c 64/pkg/tool/linunpx prettier --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json tail -15 bis 64/pkg/tool/linuGOWORK 64/bin/go _.a 8cBqqSRNX 64/pkg/tool/linu"prettier" --check 'scripts/**/*.js' --ignore-path .prettierignore go (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha user.email test@example.com /usr/bin/git -json GO111MODULE 64/bin/go git conf�� user.email test@example.com /usr/bin/gh ned-imports-enabgit GO111MODULE 64/bin/go gh (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha BdU6/bw3wPTaeFR1J8oHNBdU6 git /opt/hostedtoolcache/uv/0.11.2/x86_64/sh a-feature-coveragit git 0/x64/bin/node 4598277/b063/importcfg -c k/gh-aw/gh-aw/pkg/cli/access_log.go k/gh-aw/gh-aw/pkg/cli/actionlint.go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile u-image-analyzergit git /usr/bin/git /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha "prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore GOPROXY /home/REDACTED/.cargo/bin/bash GOSUMDB GOWORK 64/bin/go bash --no�� --noprofile node /usr/bin/git --write **/*.cjs 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel /usr/lib/git-core/git-remote-https /usr/bin/git REDACTED go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha */*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path git 64/pkg/tool/linux_amd64/compile k.yml git /usr/bin/git 64/pkg/tool/linux_amd64/compile show�� g_.a git es/.bin/sh nore flow /usr/bin/find git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha y_with_explicit_repo2740566095/001 GO111MODULE de/node/bin/sh GOINSECURE GOMOD GOMODCACHE go env */*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha GOMODCACHE lled. Run 'make test@example.com /usr/bin/git on' --ignore-patgit GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE cfg git rev-�� --show-toplevel go /usr/bin/git /v2.0.0 GO111MODULE x_amd64/link git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --get remote.origin.url /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha user.name Test User /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git -C /tmp/gh-aw-test-runs/20260330-212147-44855/test-2299408704 rev-parse /usr/bin/git @{u} GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git t4036869061/.gitgit GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE bin/node git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build472158546/b229/importcfg -pack /home/REDACTED/go/pkg/mod/github.com/modelcontextprotocol/go-sdk@v1.4.1/internal/util/net.go -c log.showsignatur-p log 64/bin/go --format=%H:%ct /opt/hostedtoolc-o 64/bin/go go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore /opt/hostedtoolc-o 64/bin/go go env -json .go 64/bin/go GOINSECURE GOMOD y.s go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build1109668340/b424/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/logger/doc.go /home/REDACTED/work/gh-aw/gh-aw/pkg/logger/logger.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --get remote.origin.url /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git comm�� -m Add workflow /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha 10:11:13 on rkflow/js/**/*.json /../../.prettiergit erignore 0/x64/bin/node sh -c npx prettier --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json git /home/REDACTED/.cargo/bin/sh k.yml git 0/x64/bin/node sh (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha user.name Test User /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git -C /tmp/gh-aw-test-runs/20260330-212147-44855/test-2299408704 rev-parse /usr/bin/git @{u} GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha LGTM_SRC=/home/REDACTED/work/gh-aw/gh-aw on rkflow/js/**/*.json /../../.prettiergit erignore /opt/hostedtoolc--show-toplevel sh -c npx prettier --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json git /home/REDACTED/.local/bin/sh k.yml git 0/x64/bin/node sh (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha ithub/workflows/blog-auditor.md GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE 0/x64/bin/node t-22�� bility_SameInputSameOutput4091968069/001/stability-test.md lint:cjs /home/REDACTED/node_modules/.bin/sh GOSUMDB GOWORK run-script/lib/n--show-toplevel sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/sh user.email test@example.comrev-parse /usr/bin/git sh -c exit 1 git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha c56fabff06b31d54a95d2fa4:.github/workflows/slideINVALID,NEW git 64/bin/node --show-toplevel git /usr/bin/git git tion�� c56fabff06b31d54a95d2fa4:.github/workflows/ubuntu-image-analyzer.lock.yml git 86_64/sh k.yml git /usr/bin/git git (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha set-url origin ode_modules/.bin/sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel git /usr/bin/git rite '**/*.cjs' node git k/_temp/uv-python-dir/sh git rev-�� --show-toplevel git /usr/bin/git te 'scripts/**/*docker git k/gh-aw/gh-aw/acinspect git (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility */*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel bash /usr/bin/git --noprofile git /home/REDACTED/go//home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel node r: $owner, name: $name) { hasDiscussionsEnabled } } --write **/*.cjs /home/REDACTED/worinspect git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha s_repo rd-policies-spec-ifaceassert ode_modules/.bin-nilfunc idation-architec/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet ing-sanitization-atomic l-entity-mention-bool hub-actions-secu-buildtags nt-s�� ../pkg/workflow/-errorsas low.md x_amd64/vet ine-architecturegit e-output-message-C hub-mcp-access-c/home/REDACTED/work/gh-aw/gh-aw/.github/workflows x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha --show-toplevel git /usr/bin/git rite '**/*.cjs' node git rgo/bin/sh git rev-�� --show-toplevel git /usr/bin/infocmp te 'scripts/**/*git git ache/node/24.14./home/REDACTED/work/gh-aw/gh-aw/.github/workflows infocmp (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --get remote.origin.url /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git comm�� -m Test commit /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha te '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --- git /home/REDACTED/.local/bin/node er.lock.yml ..feature-branchrev-parse 0/x64/bin/node node /opt�� run format:cjs /home/REDACTED/node_modules/.bin/sh fest.lock.yml infocmp 0/x64/bin/node sh (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE /home/REDACTED/.local/bin/sh GOINSECURE GOMOD GOMODCACHE sh -c runs/20260330-212147-44855/test-718518555 GOPROXY 226989/b444/vet.cfg GOSUMDB GOWORK run-script/lib/n--show-toplevel sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha c56fabff06b31d54a95d2fa4:.github/workflows/smoke--ignore-path git 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh ock.yml git /usr/bin/git git show�� .js' --ignore-path .prettierignore --log-level=e!../../../pkg/workflow/js/**/*.json git tions/setup/js/node_modules/.bin/prettier ts-verifier.lockgit git /usr/bin/gh git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE /home/REDACTED/work/_temp/uv-python-dir/sh GOINSECURE GOMOD GOMODCACHE sh -c runs/20260330-212147-44855/test-718518555 GOPROXY /home/REDACTED/.config/composer/vendor/bin/sh GOSUMDB GOWORK 64/bin/go sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel /usr/bin/git /usr/bin/git -v go /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha c56fabff06b31d54a95d2fa4:.github/workflows/smoke-create-cross-repo-pr.lock.yml git nfig/composer/vendor/bin/git ock.yml git /usr/bin/git git show�� .js' --ignore-path .prettierignore --log-level=e!../../../pkg/workflow/js/**/*.json git ache/CodeQL/2.24.3/x64/codeql/tools/linux64/java../../../.prettierignore ts-verifier.lockgit git /usr/bin/git ache/CodeQL/2.24.3/x64/codeql/tools/linux64/java/lib/jspawnhelper (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a t.go 64/pkg/tool/linux_amd64/compile GOINSECURE order GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env ty-test.md GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env es.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env es.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a @v1.19.2/token/token.go 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm (http block)
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build472158546/b139/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/oauth2@v0.34.0/internal/doc.go -o /tmp/go-build417-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git 2008823733/.githsed GO111MODULE ules/.bin/node git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel sh /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git /workflows/layougit git ache/node/24.14.--show-toplevel git rev-�� --show-toplevel git /usr/bin/git ath ../../../.prsed git ache/node/24.14.../../../.pretti--show-toplevel git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 4001348111/.github/workflows GO111MODULE 64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha image:v1.0.0 go /usr/bin/git licyMinIntegritygit GO111MODULE /home/REDACTED/.ca--show-toplevel git rev-�� --show-toplevel /...; \ else \ echo "golangci-lint is not installed. Run 'make test@example.com /usr/bin/git "prettier" --chegit GOPROXY /opt/hostedtoolc--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha /workflows/mergefest.lock.yml git de --show-toplevel git /usr/bin/git git _inc�� /workflows/smoke--ignore-path git ache/node/24.14.--log-level=error --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json act.go 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE wasm.s sm.s�� e_wasm.s GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD sm.s go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json sonrpc2/conn.go 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha ./../pkg/workflo-errorsas (http block)
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel git $name) { hasDiscussionsEnabled } } 6bd19011d1f21c7cinfocmp git k/gh-aw/gh-aw/acxterm-color git rev-�� --show-toplevel git /usr/bin/git te '../../../**/git git /home/REDACTED/wor/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha e-analyzer.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE tions/setup/js/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel go /usr/bin/git licyMinIntegritygit GO111MODULE /usr/local/.ghcu--show-toplevel git rev-�� --show-toplevel 2c9bd595..HEAD /usr/bin/git "prettier" --chegit GOPROXY /opt/hostedtoolc--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha .json..." git ache/node/24.14.pkg/workflow/copilot_token_parsing_test.go --show-toplevel git /usr/bin/git git _inc�� /workflows/smoke--ignore-path git 0/x64/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE h GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -o /tmp/go-build417-p -trimpath 64/bin/go -p github.com/githu-c -lang=go1.25 go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -o /tmp/go-build417-p -trimpath 64/bin/go -p github.com/githu-f1 -lang=go1.25 go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go tierignore 0/message/catalo-c 64/pkg/tool/linunpx prettier --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/owner/repo/contents/file.md
- Triggering command: /tmp/go-build1109668340/b404/cli.test /tmp/go-build1109668340/b404/cli.test -test.testlogfile=/tmp/go-build1109668340/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build472158546/b200/importcfg -pack -c "prettier" --che-p sh 64/bin/go tierignore /opt/hostedtoolc-o 64/bin/go go (http block)
- Triggering command: /tmp/go-build594226989/b404/cli.test /tmp/go-build594226989/b404/cli.test -test.testlogfile=/tmp/go-build594226989/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true _.a @v1.1.3/cpu/arm/env 64/pkg/tool/linu-json sh -c "prettier" --wriGOINSECURE 64/pkg/tool/linuGOMOD 64/bin/go _.a o x_amd64/compile go (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build472158546/b238/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.35.0/internal/catmsg/catmsg.go -V=f�� de/node/bin/bash-p node 64/bin/go -d **/*.cjs 64/bin/go go (http block)
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro/opt/hostedtoolcache/node/24.14.0/x64/bin/npm 64/pkg/tool/linurun /bin/sh -c echo "�� JSON fGOSUMDB 64/pkg/tool/linuGOWORK 64/bin/go --ignore-path ..sh skzryABHE x_amd64/vet go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

…kout Add "Restore actions folder" step at end of safe_outputs job in dev mode when the job includes a checkout step for create_pull_request or push_to_pull_request_branch. The checkout replaces the workspace with the target repo content, removing actions/setup and causing the post-step of "Setup Scripts" to fail. Also extract the restore step into a shared generateRestoreActionsSetupStep() helper in compiler_yaml_helpers.go to eliminate code duplication with the existing restore in the push_repo_memory job. Fixes Smoke Update Cross-Repo PR and Smoke Create Cross-Repo PR schedule run failures (P1 issues #23193 and #23447). Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0fa7fa1d-b65e-4b47-9834-52c652781cf8 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot

Pull request overview

Restores the local ./actions/setup folder in dev-mode workflows after cross-repo checkouts so the GitHub Actions runner can successfully run the setup action’s post-step (“Setup Scripts”) without failing on missing action.yml.

Changes:

Added a shared generateRestoreActionsSetupStep() helper that emits an if: always() sparse checkout of actions/setup from github/gh-aw.
Reused the helper in push_repo_memory and appended the restore step to the consolidated safe_outputs job when dev mode + PR-related checkouts are used.
Regenerated workflow lock files so affected workflows include the new restore step.

Reviewed changes

Copilot reviewed 45 out of 45 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pkg/workflow/compiler_yaml_helpers.go	Adds `generateRestoreActionsSetupStep()` YAML helper for restoring `actions/setup` via sparse checkout.
pkg/workflow/repo_memory.go	Replaces inline restore-step YAML with the shared helper call.
pkg/workflow/compiler_safe_outputs_job.go	Appends restore step to `safe_outputs` job in dev mode when PR checkouts are used.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/weekly-editors-health-check.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/weekly-blog-post-writer.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/update-astro.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/unbloat-docs.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/ubuntu-image-analyzer.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/tidy.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/test-create-pr-error-handling.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/technical-doc-writer.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/smoke-update-cross-repo-pr.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/smoke-project.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/smoke-multi-pr.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/smoke-create-cross-repo-pr.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/slide-deck-maintainer.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/schema-feature-coverage.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/refiner.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/q.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/mergefest.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/layout-spec-maintainer.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/jsweep.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/instructions-janitor.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/hourly-ci-cleaner.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/go-logger.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/glossary-maintainer.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/github-mcp-tools-report.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/functional-pragmatist.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/dictation-prompt.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/developer-docs-consolidator.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/dead-code-remover.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/daily-workflow-updater.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/daily-safe-output-integrator.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/daily-rendering-scripts-verifier.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/daily-doc-updater.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/daily-doc-healer.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/daily-community-attribution.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/daily-architecture-diagram.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/craft.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/code-simplifier.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/code-scanning-fixer.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/cloclo.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/ci-coach.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.
.github/workflows/changeset.lock.yml	Adds final “Restore actions folder” step to the `safe_outputs` job.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-03-30T21:42:02Z

pkg/workflow/compiler_safe_outputs_job.go

+	// In dev mode the setup action is referenced via a local path (./actions/setup), so its files
+	// live in the workspace. When the safe_outputs job contains a checkout step for
+	// create_pull_request or push_to_pull_request_branch, the workspace is replaced with the
+	// target repository content, removing the actions/setup directory.
+	// Without restoring it, the runner's post-step for Setup Scripts would fail with
+	// "Can't find 'action.yml', 'action.yaml' or 'Dockerfile' under .../actions/setup".
+	// We add a restore checkout step (if: always()) as the last step so the post-step
+	// can always find action.yml and complete its /tmp/gh-aw cleanup.
+	if c.actionMode.IsDev() && usesPatchesAndCheckouts(data.SafeOutputs) {
+		steps = append(steps, c.generateRestoreActionsSetupStep())
+		consolidatedSafeOutputsJobLog.Print("Added restore actions folder step to safe_outputs job (dev mode with checkout)")
+	}


The restore step is appended based only on IsDev() + usesPatchesAndCheckouts(...), but the underlying failure only occurs when the setup action is referenced via the local path (./actions/setup). In dev mode with action-tag (or other cases where setupActionRef resolves to a remote action), this adds an unnecessary checkout and can change the workspace for subsequent post-steps. Consider additionally gating this on setupActionRef == "./actions/setup" (or len(c.generateCheckoutActionsFolder(data)) > 0).

Copilot · 2026-03-30T21:42:03Z

pkg/workflow/compiler_safe_outputs_job.go

+	// In dev mode the setup action is referenced via a local path (./actions/setup), so its files
+	// live in the workspace. When the safe_outputs job contains a checkout step for
+	// create_pull_request or push_to_pull_request_branch, the workspace is replaced with the
+	// target repository content, removing the actions/setup directory.
+	// Without restoring it, the runner's post-step for Setup Scripts would fail with
+	// "Can't find 'action.yml', 'action.yaml' or 'Dockerfile' under .../actions/setup".
+	// We add a restore checkout step (if: always()) as the last step so the post-step
+	// can always find action.yml and complete its /tmp/gh-aw cleanup.
+	if c.actionMode.IsDev() && usesPatchesAndCheckouts(data.SafeOutputs) {
+		steps = append(steps, c.generateRestoreActionsSetupStep())
+		consolidatedSafeOutputsJobLog.Print("Added restore actions folder step to safe_outputs job (dev mode with checkout)")
+	}


This change introduces new workflow-generation behavior (adding a restore checkout step to safe_outputs in dev mode with PR checkouts) but there isn’t a regression test asserting the step is present (and ideally last) in the compiled lock YAML for a workflow that enables create-pull-request/push-to-pull-request-branch. Adding a compilation test would help prevent future regressions of this fix.

Copilot · 2026-03-30T21:42:03Z

pkg/workflow/compiler_yaml_helpers.go

+// generateRestoreActionsSetupStep generates a single "Restore actions folder" step that
+// re-checks out only the actions/setup subfolder from github/gh-aw. This is used in dev mode
+// after a job step has checked out a different repository (or a different git branch) and
+// replaced the workspace content, removing the actions/setup directory. Without restoring it,
+// the GitHub Actions runner's post-step for "Setup Scripts" would fail with
+// "Can't find 'action.yml', 'action.yaml' or 'Dockerfile' under .../actions/setup".
+//
+// The step is guarded by `if: always()` so it runs even if prior steps fail, ensuring
+// the post-step cleanup can always complete.
+//
+// Returns the YAML for the step as a single string (for inclusion in a []string steps slice).
+func (c *Compiler) generateRestoreActionsSetupStep() string {
+	var step strings.Builder
+	step.WriteString("      - name: Restore actions folder\n")
+	step.WriteString("        if: always()\n")
+	fmt.Fprintf(&step, "        uses: %s\n", GetActionPin("actions/checkout"))
+	step.WriteString("        with:\n")
+	step.WriteString("          repository: github/gh-aw\n")
+	step.WriteString("          sparse-checkout: |\n")
+	step.WriteString("            actions/setup\n")


The step label and helper name say “Restore actions folder”, but the sparse checkout only restores actions/setup. Renaming the step (and/or helper) to explicitly reference actions/setup would make the intent clearer and avoid implying the whole actions/ tree is restored.

Copilot · 2026-03-30T21:42:03Z

pkg/workflow/compiler_yaml_helpers.go

+func (c *Compiler) generateRestoreActionsSetupStep() string {
+	var step strings.Builder
+	step.WriteString("      - name: Restore actions folder\n")
+	step.WriteString("        if: always()\n")
+	fmt.Fprintf(&step, "        uses: %s\n", GetActionPin("actions/checkout"))
+	step.WriteString("        with:\n")
+	step.WriteString("          repository: github/gh-aw\n")
+	step.WriteString("          sparse-checkout: |\n")
+	step.WriteString("            actions/setup\n")
+	step.WriteString("          sparse-checkout-cone-mode: true\n")
+	step.WriteString("          persist-credentials: false\n")
+	return step.String()


generateRestoreActionsSetupStep checks out github/gh-aw without a ref. When workflows run from a non-default branch of github/gh-aw, this can restore a different revision of actions/setup than the one that originally ran earlier in the job, which could lead to the runner executing a mismatched post-step implementation. Consider pinning the restore checkout to the workflow repo SHA when the source repo is github/gh-aw (and falling back to the default branch for cross-repo callers).

Initial plan

e0a8806

Copilot AI assigned Copilot and pelikhan Mar 30, 2026

Copilot started work on behalf of pelikhan March 30, 2026 21:04 View session

Copilot AI linked an issue Mar 30, 2026 that may be closed by this pull request

[WHM] Workflow Health Dashboard — 2026-03-30 #23543

Closed

Copilot AI changed the title ~~[WIP] Update workflow health dashboard for March 30, 2026~~ fix: restore actions/setup after cross-repo checkout in safe_outputs job Mar 30, 2026

Copilot finished work on behalf of pelikhan March 30, 2026 21:32

Copilot AI requested a review from pelikhan March 30, 2026 21:32

pelikhan approved these changes Mar 30, 2026

View reviewed changes

Merge branch 'main' into copilot/whm-workflow-health-dashboard

0ca28c7

pelikhan marked this pull request as ready for review March 30, 2026 21:36

Copilot AI review requested due to automatic review settings March 30, 2026 21:36

pelikhan merged commit 8b7f3c4 into main Mar 30, 2026
8 of 50 checks passed

pelikhan deleted the copilot/whm-workflow-health-dashboard branch March 30, 2026 21:36

Copilot started reviewing on behalf of pelikhan March 30, 2026 21:37 View session

Copilot AI reviewed Mar 30, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: restore actions/setup after cross-repo checkout in safe_outputs job#23587

fix: restore actions/setup after cross-repo checkout in safe_outputs job#23587
pelikhan merged 3 commits intomainfrom
copilot/whm-workflow-health-dashboard

Copilot AI commented Mar 30, 2026 •

edited

Loading

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Mar 30, 2026

Uh oh!

Copilot AI Mar 30, 2026

Uh oh!

Copilot AI Mar 30, 2026

Uh oh!

Copilot AI Mar 30, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Mar 30, 2026 •

edited

Loading