Agentic Workflow Audit Report - 2026-02-19

[github-actions[bot]]

Audit Summary

• Period: Last 24 hours (2026-02-18 ~05:49Z to 2026-02-19 ~05:50Z)
• Runs Analyzed: 21 total (13 with active agents)
• Workflows Active: 14 distinct workflows with agent execution
• Success Rate: 84.6% (11/13 agentic runs succeeded)
• Issues Found: 4 (2 failures, 1 missing tool, 1 missing data)
• Total Tokens: ~193.8M | Estimated Cost: $4.13

Note: This is the first audit run — no historical baseline is available for comparison. Baseline metrics are established today.

---

Workflow Health Trend

The 24-hour period shows 11 successful agentic runs across diverse workflow types (smoke tests, daily tasks, PR-triggered). 7 runs were cancelled without agent execution (these are PR-triggered workflows that fired and were then superseded by branch updates — expected behavior). 2 runs failed, both involving Codex.

---

Token & Cost by Agent Type

Codex dominates token usage at ~185.8M tokens (primarily Changeset Generator at 136.9M tokens for a PR task). Claude's Daily Documentation Updater is the only run with a tracked estimated cost at $4.13 and 57 turns. Copilot usage is spread across multiple lower-token workflows totaling ~4.1M tokens.

---

Missing Tools

Tool Name	Request Count	Workflows Affected	Reason
GitHub MCP tools (list_issues, get_repository)	1	GitHub Remote MCP Authentication Test	MCP toolsets not loading in runner

Analysis: The github-remote-mcp-auth-test workflow is specifically designed to test GitHub Remote MCP tool availability. The missing tool report is the expected failure mode — the tools failed to load in the runner. The agent correctly reported the issue and suggested remediation steps. This is a recurring infrastructure configuration issue (MCP server not starting or api.githubcopilot.com/mcp/ unreachable in local mode).

---

Missing Data

Data Type	Count	Workflow Affected	Reason
PR/Issue number for comment id 3924768135	1	AI Moderator	GitHub context does not include pull-request-number; comment id alone is insufficient

Analysis: The AI Moderator was triggered by an issue_comment event but the workflow context did not include the parent PR/issue number, making it impossible for the agent to fetch the comment via MCP. The agent correctly reported missing data and provided clear instructions for resolution.

---

Error Analysis

Critical Errors (Workflow Failures)

1. Duplicate Code Detector — safe_outputs job failure

• Run: §22167968348
• Agent: Codex | Turns: 5 | Tokens: 30.1M
• Root Cause: The safe_outputs job's "Assign Copilot to created issues" step failed with GraphQL FORBIDDEN: Could not assign agent: target repository is not writable (mutation: replaceActorsForAssignable)
• Impact: Workflow marked as failure even though the primary action (issue creation) succeeded
• Pattern: Previously identified in yesterday's Safe Output Health Report. This is a recurring issue.
• Recommendation: Make Copilot assignment non-fatal in assign_copilot_to_created_issues.cjs

2. Daily Fact About gh-aw — workflow failure

• Run: §22170190303
• Agent: Codex | Status: Not compiled (compiled: No)
• Root Cause: The daily-fact workflow is marked as compiled: No in the status listing, indicating the workflow file has not been compiled to a .lock.yml. The failure occurred before agent execution (no token usage recorded).
• Recommendation: Compile the daily-fact workflow using gh aw compile daily-fact

Warnings

None recorded in this period.

---

MCP Server Failures

No MCP server failures (beyond the missing tool report above) were detected in this period.

---

Firewall Analysis

• Total Requests: 870
• Allowed Requests: 500 (57.5%)
• Blocked Requests: 370 (42.5%)

Allowed Domains (by request count)

Domain	Allowed Requests
api.githubcopilot.com:443	192
api.anthropic.com:443	161
api.openai.com:443	118
registry.npmjs.org:443	18
proxy.golang.org:443	8
storage.googleapis.com:443	1
sum.golang.org:443	1
github.com:443	1

Blocked Domains (potentially notable)

Domain	Blocked Requests	Notes
Unknown/unresolved (-)	361	Internal requests (loopback, container networking) — expected
codeload.github.com:443	4	Changeset Generator attempting to download GitHub source archives — blocked by firewall
github.com:443	5	Changeset Generator attempting direct GitHub API calls outside MCP — partially blocked

Notable: The Changeset Generator workflow had 68 blocked requests (41.7% block rate). The codeload.github.com blocks suggest the Codex agent is attempting to download source archives directly rather than through allowed channels. This warrants review if the workflow needs this access.

---

Performance Metrics

• Average Token Usage (runs with tokens): ~16.1M tokens per run
• Highest Token Run: Changeset Generator — 136.9M tokens (Codex, 3 turns)
• Most Turns: Daily Documentation Updater — 57 turns (Claude, 11.2 minutes)
• Fastest Successful Run: AI Moderator — 6.3 minutes (1 turn)
• Total Cost (24h): $4.13 (tracked only for Claude runs)

---

Affected Workflows Summary

Workflow	Status	Agent	Issue
Duplicate Code Detector	❌ Failed	Codex	Copilot assignment FORBIDDEN in safe_outputs
Daily Fact About gh-aw	❌ Failed	Codex	Not compiled; workflow failed before agent execution
GitHub Remote MCP Auth Test	⚠️ Missing Tool	Copilot	GitHub MCP tools not loading in runner
AI Moderator	⚠️ Missing Data	Codex	Parent issue/PR number missing from trigger context
Changeset Generator	✅ Success	Codex	High token usage (136.9M); codeload.github.com blocked

---

Recommendations

1. Compile daily-fact workflow: The daily-fact workflow shows compiled: No. Run gh aw compile daily-fact to generate the .lock.yml file so it can execute properly.

2. Fix Copilot assignment non-fatal error: The assign_copilot_to_created_issues.cjs step should catch FORBIDDEN GraphQL errors gracefully and emit a warning instead of failing the step. This prevents misleading failure conclusions when the primary operation (issue creation) succeeded.

3. Investigate GitHub Remote MCP tool loading: The github-remote-mcp-auth-test workflow consistently fails because GitHub MCP tools don't load. Verify that the MCP server starts correctly and that api.githubcopilot.com/mcp/ is accessible from the runner.

4. Review AI Moderator context: The ai-moderator workflow triggered on an issue_comment event but lacked parent issue/PR context. Review the trigger configuration to ensure the comment's parent resource is available in the workflow context.

5. Review Changeset Generator firewall needs: 68 blocked requests (including codeload.github.com) may indicate the workflow needs additional domain allowances. If source archive downloads are required, add codeload.github.com to the workflow's allowed domains.

---

Historical Context

This is the first audit run for the Agentic Workflow Audit Agent on this repository. No prior baseline exists for trend comparison. The following baseline metrics are established:

• Baseline Success Rate: 84.6%
• Baseline Daily Tokens: ~193.8M
• Baseline Daily Cost: $4.13 (Claude)
• Recurring Issue Identified: Copilot assignment FORBIDDEN (also seen in Safe Output Health Monitor from prior day)

Future audits will compare against this baseline to identify regressions and improvements.

---

Next Steps

• Compile daily-fact workflow: gh aw compile daily-fact
• Fix non-fatal Copilot assignment error in assign_copilot_to_created_issues.cjs
• Investigate GitHub Remote MCP tool loading failure
• Review AI Moderator trigger context configuration
• Monitor Changeset Generator firewall blocks (codeload.github.com)

References:

• §22167968348 — Duplicate Code Detector (failure: safe_outputs Copilot assignment)
• §22170190303 — Daily Fact About gh-aw (failure: not compiled)
• §22169428601 — GitHub Remote MCP Auth Test (missing tool)

AI generated by Agentic Workflow Audit Agent

• expires on Feb 26, 2026, 5:56 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-26T05:56:14.401Z.

Closed by Workflow