Add update-release safe output for modifying GitHub release descriptions

[Copilot]

Summary: Add "update-release" Safe Output Type ✅

Successfully implemented a new safe output type update-release that allows AI agents to update GitHub release descriptions with three operations: replace, append, and prepend.

Features Implemented

Operations:

1. Replace - Completely replaces the release body with new content
2. Append - Adds content to the end with a horizontal line separator (---) and AI attribution footer
3. Prepend - Adds content to the start with AI attribution footer and horizontal line separator

Configuration Options:

safe-outputs:
  update-release:
    max: 1                    # Maximum releases to update (default: 1, max: 10)
    target-repo: owner/repo   # Optional: cross-repository updates
    github-token: ${{ secrets.CUSTOM_TOKEN }}  # Optional: custom GitHub token

JSONL Output Format:

{"type": "update_release", "tag": "v1.0.0", "operation": "replace", "body": "New release notes"}
{"type": "update_release", "tag": "v2.0.0", "operation": "append", "body": "Additional content"}
{"type": "update_release", "tag": "v3.0.0", "operation": "prepend", "body": "Summary content"}
{"type": "update_release", "operation": "prepend", "body": "Tag inferred from context"}

Implementation Complete

1. Prepend Operation ✅

• Added "prepend" as a third operation alongside "replace" and "append"
• Prepends content with AI footer and horizontal line separator at the start

2. GitHub Context for Releases ✅

• Updated compute_text.cjs to extract release content from github.event.release
• Added support for release_url and release_id inputs
• Release context available via ${{ needs.activation.outputs.text }}

3. Updated dev.md Workflow ✅

• Triggers on release events and workflow_dispatch
• Uses prepend operation with minimal permissions (contents: read)
• Instructions require failing if update_release tool is missing

4. Tag Inference from Context ✅

• Tag field is optional in JSONL output
• Automatically inferred from event context when omitted

5. Safe Outputs Tools Integration ✅

• Added update_release tool to safe_outputs_tools.json
• Tool discoverable by AI agents

6. Bug Fix ✅

• Fixed directory creation issue in collect_ndjson_output.cjs

7. Merged with Main ✅

• Successfully merged latest main branch changes
• Resolved conflicts in schemas and TypeScript types
• Both UpdateReleaseOutput and NoOpOutput now available

8. Config Generation Fix ✅ (NEW)

• Added update_release to generateSafeOutputsConfig() function
• Added update_release to generateFilteredToolsJSON() function
• Also added missing noop configuration
• Fixes the tool rejection error during ingestion
• Config properly includes update_release in /tmp/gh-aw/safeoutputs/config.json
• Tools JSON properly includes update_release tool definition

Implementation Quality

• ✅ Full test coverage (9 update_release tests, 1028 total JS tests, all passing)
• ✅ Comprehensive validation (schema, collection, runtime)
• ✅ Error handling with clear messages
• ✅ Staged mode preview support
• ✅ Cross-repository support
• ✅ Test workflows for all engines
• ✅ Safe outputs tools integration
• ✅ Safe outputs config generation fixed
• ✅ Generated documentation
• ✅ Follows existing safe-output patterns
• ✅ Up to date with main branch
• ✅ All 80 workflows compile successfully

All tests pass, workflows compile successfully. Ready for final review and merge!

Original prompt

Add the "update-release" safe output that allows to update a release description.

• operation: replace or append
• mutates description only
• each appended text start with a horizontal line and has the default ai generated footer

Custom agent used: copilot-add-safe-output-type
Adding a New Safe Output Type to GitHub Agentic Workflows

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot

• add a "prepend" operation that adds text at the start of the description
• update GitHub context prompt to include release id if available in context
• update dev.md agentic workflow to triggers on workflow dispatch or release creates and prepends a summary of the description of the current release or input release url/id

[Copilot]

@copilot

• add a "prepend" operation that adds text at the start of the description
• update GitHub context prompt to include release id if available in context...

Implemented all three requested features in commit 817c0a0:

1. Prepend operation ✅

• Added "prepend" to operation enum alongside "replace" and "append"
• Prepends content with AI footer and horizontal line separator at the start
• Updated schema, validation, and tests (now 7 update_release tests, all passing)

2. GitHub context with release ID ✅

• Updated compute_text.cjs to extract release content from github.event.release
• Added support for release_url input (fetches from any repo via URL pattern matching)
• Added support for release_id input (fetches from current repo)
• Release context now available via ${{ needs.activation.outputs.text }}

3. Updated dev.md workflow ✅

• Changed trigger to release: [created, edited, published] and workflow_dispatch
• Added optional release_url and release_id workflow inputs
• Changed task from poem generation to release summary prepending
• Uses prepend operation to add AI summaries at the top of release descriptions

All tests passing (1005 JS tests, all Go tests). Ready for review!

[pelikhan]

@copilot if tag is missing, infer release tag from release information in event context

[Copilot]

@copilot if tag is missing, infer release tag from release information in event context

Implemented tag inference from release event context in commit 703a604:

Tag Field Now Optional ✅

• Removed tag from required fields in schema
• Updated TypeScript types to make tag optional
• Modified validation to accept omitted tag

Automatic Tag Inference ✅
The tag is automatically inferred from event context when omitted:

1. Release events: Uses github.event.release.tag_name
2. Workflow dispatch with release_url: Parses URL to extract tag
3. Workflow dispatch with release_id: Fetches release to get tag

Example Usage:

{"type": "update_release", "operation": "prepend", "body": "## AI Summary\n\nKey highlights"}

When triggered by a release event, the tag is automatically inferred. The workflow fails gracefully with a clear error if tag cannot be inferred from context.

Updated dev.md workflow to demonstrate the new optional tag behavior. All tests passing (9 update_release tests, 1007 total JS tests).

[github-actions]

✅ Dev Hawk Report - Success

Workflow Run: #2993

• Status: completed
• Conclusion: success
• Branch: copilot/add-update-release-output
• Commit: 703a604
• Duration: ~80 seconds
• Triggered by: @pelikhan via workflow_dispatch

Summary

The Dev workflow completed successfully! 🎉

Latest Commit:

Make tag optional and infer from release event context

• Made 'tag' field optional in UpdateReleaseOutput schema
• Updated TypeScript types to reflect optional tag
• Modified update_release.cjs to infer tag from event context when missing
• Updated validation to accept omitted tag field
• Added tests for tag inference from event context
• All tests passing (9 update_release tests, 1007 total JS tests)

This change enhances the update-release safe output feature by making the tag field optional and automatically inferring it from the GitHub event context, improving the developer experience.

AI generated by Dev Hawk

[pelikhan]

@copilot make sure to add the update release tool to the safe output tools.json

[Copilot]

@copilot make sure to add the update release tool to the safe output tools.json

Added update_release to safe outputs tools.json in commit 89b68d3.

The tool definition includes:

• Three operation types: replace, append, prepend
• Optional tag field (inferred from event context)
• Complete input schema with descriptions
• Updated test expectations to include the new tool

All tests passing.

[pelikhan]

@copilot read only

[github-actions]

⚠️ Dev Hawk Report - Failure Analysis

Workflow Run: #2997

• Status: completed
• Conclusion: failure
• Commit: 25d3c78
• Duration: ~1 minute 20 seconds

Root Cause Analysis

The workflow failed at step 26 "Ingest agent output" in the main agent job. However, all preceding steps completed successfully including:

✅ GitHub Copilot CLI execution (step 23)
✅ Safe Outputs upload (step 25)
✅ MCP logs upload (step 29)
✅ Agent stdio upload (step 31)
✅ Error validation (step 32)

This indicates the AI agent executed successfully and generated outputs, but the ingestion/processing step encountered an issue.

Failure Pattern

Type: Output Processing Failure

The failure occurred after the Copilot agent completed execution but during the output ingestion phase. Key observations:

1. Safe outputs were generated: The safe_output.jsonl artifact (427 bytes) was successfully uploaded
2. No error patterns detected: Step 32 "Validate agent logs for errors" completed successfully with 0 matches
3. Clean working tree: Git status showed "nothing to commit, working tree clean"
4. No patch generated: The workflow indicated "No branch found, no patch generation"

Investigation Notes

The workflow appears to be testing the new update-release safe output functionality on the copilot/add-update-release-output branch. Based on the step sequence:

• The Copilot agent executed without runtime errors
• Safe outputs were collected and uploaded
• The failure happened during the "Ingest agent output" step which processes the agent's response

This could indicate:

• An issue with the agent output format or structure
• A validation failure in the ingestion script
• An unexpected response format from the Copilot CLI

Recommended Actions

• Review the safe_output.jsonl artifact to see what the agent produced
• Check the agent-stdio.log artifact for any warnings or unusual output
• Examine the "Ingest agent output" step implementation for what validation it performs
• Verify the expected output format matches what the agent is producing
• Consider adding more detailed error messages to the ingestion step for easier debugging

Additional Context

This appears to be a workflow dispatch run testing the PR's new functionality. The failure is in the output processing pipeline rather than the agent execution itself, which suggests the new update-release safe output implementation may need adjustments to work correctly with the workflow's output ingestion mechanism.

AI generated by Dev Hawk

[pelikhan]

@copilot review the JavaScript that does safe output type ingestion for update release.

See error in https://github.com/githubnext/gh-aw/actions/runs/19484470074/job/55763523819#step:26:1

[Copilot]

@copilot review the JavaScript that does safe output type ingestion for update release.

See error in https://github.com/githubnext/gh-aw/actions/runs/19484470074/job/55763523819#step:26:1

I've reviewed the update_release ingestion code in collect_ndjson_output.cjs (lines 590-615). The validation logic appears correct and all tests pass locally.

Could you provide the specific error message from the workflow run? The link points to step 26, but I need to see the actual error output to diagnose the issue. You can:

1. Copy/paste the error message from the logs, or
2. Share what operation failed (e.g., validation error, runtime error, API error)

The current implementation validates:

• Optional tag field (string if provided)
• Required operation field (must be "replace", "append", or "prepend")
• Required body field (string content)
• Sanitizes all content appropriately

All 9 unit tests pass including validation tests.

@copilot review the JavaScript that does safe output type ingestion for update release.

See error in https://github.com/githubnext/gh-aw/actions/runs/19484470074/job/55763523819#step:26:1

Fixed the directory creation issue in commit dbc8037. The problem was in collect_ndjson_output.cjs at line 723 - it was creating /tmp instead of /tmp/gh-aw, causing the agent_output.json file write to fail. All 1007 JS tests now pass.

[pelikhan]

@copilot merge main

[Copilot]

@copilot merge main

Merged main branch in commit 3e0eac6. Resolved all conflicts between UpdateReleaseOutput (from this PR) and NoOpOutput (from main). All 1028 JS tests and Go tests pass, 80 workflows compiled successfully with 0 errors.

[pelikhan]

@copilot the list of safe output types should contain update_release . As you can see the ingestion step fails because the tool is refused. Report: https://github.com/githubnext/gh-aw/actions/runs/19489819272/job/55779735870#step:26:1

[github-actions]

⚠️ Dev Hawk Report - Failure Analysis

Workflow Run: #2998

• Status: failure
• Commit: 3e0eac6a9821b956d8b1b32731d004d50d40ef3a
• Duration: ~1 minute 25 seconds
• Trigger: workflow_dispatch

Root Cause Analysis

The Dev workflow failed during the "Ingest agent output" step (step 26 of 69), which occurs after the GitHub Copilot CLI execution completed successfully.

Key Findings

1. Copilot CLI Execution: ✅ Completed successfully (step 23)
2. Error Validation: ✅ Passed - no error patterns detected in logs
3. Failure Point: ❌ "Ingest agent output" step failed

What Happened

The workflow executed through these phases:

• ✅ Pre-activation and activation jobs completed
• ✅ Repository checkout and setup
• ✅ Copilot CLI installation and execution (26 seconds)
• ✅ Log validation passed (no errors detected)
• ❌ Agent output ingestion failed

The logs show:

Checking for branch name in JSONL output...
No branch found, no patch generation

This indicates the Copilot CLI executed but either:

• Did not produce expected safe output (JSONL) format
• The output ingestion step encountered a processing error
• The output file was missing or malformed

Investigation Notes

Safe Outputs Configuration:

• The workflow has update_release configured as a safe output
• The detection job was skipped (indicating no safe output was detected)
• No git patch was generated (expected if no code changes were made)

Possible Causes:

1. Output Format Issue: The Copilot CLI may have produced output in an unexpected format
2. Safe Output Processing: The ingestion script may have encountered an error parsing the output
3. Missing Output File: The safe outputs file may not have been created or was empty
4. Step Dependencies: A dependency between steps may have failed silently

Recommended Actions

• Review Copilot CLI Logs: Check the "Execute GitHub Copilot CLI" step output to see what was generated
• Inspect Safe Outputs Artifact: Download the "safe-outputs" artifact to verify JSONL format
• Check Agent Output Artifact: Review the "agent-output" artifact for the actual Copilot response
• Verify Workflow Configuration: Ensure the dev.md workflow has correct safe-outputs configuration
• Test Locally: Run gh aw compile dev.md to verify workflow structure

Additional Context

Branch: copilot/add-update-release-output
PR Context: This PR adds update-release safe output functionality

The failure appears to be related to output processing rather than the core Copilot execution, which completed successfully. This suggests a potential issue with the safe output detection or ingestion logic rather than the AI agent's execution.

AI generated by Dev Hawk

[Copilot]

@copilot the list of safe output types should contain update_release . As you can see the ingestion step fails because the tool is refused. Report: https://github.com/githubnext/gh-aw/actions/runs/194...

Fixed in commit bc7c250. The issue was that update_release was missing from two critical functions in pkg/workflow/safe_outputs.go:

1. generateSafeOutputsConfig() - now includes update_release configuration
2. generateFilteredToolsJSON() - now includes update_release in the enabled tools list

The tool is now properly added to both /tmp/gh-aw/safeoutputs/config.json and /tmp/gh-aw/safeoutputs/tools.json, which resolves the ingestion rejection error.

[github-actions]

✅ Dev Hawk Report - Success

Workflow Run: #2999

• Status: completed
• Conclusion: success
• Commit: bc7c250
• Duration: 2 minutes 34 seconds
• Branch: copilot/add-update-release-output

Summary

The Dev workflow completed successfully! 🎉

This workflow validated the changes to add update_release configuration support to the safe outputs system. The commit fixed the ingestion error where the update_release tool was being rejected by ensuring it's properly configured in both:

• generateSafeOutputsConfig() - Safe outputs configuration generation
• generateFilteredToolsJSON() - Filtered tools JSON generation

All tests passed and 80 workflows compiled successfully.

AI generated by Dev Hawk

[Copilot]

Pull Request Overview

This PR adds a comprehensive "update-release" safe output type that enables AI agents to modify GitHub release descriptions with three operations (replace, append, prepend). The implementation includes full schema validation, Go backend integration, JavaScript execution logic, comprehensive test coverage, and proper documentation. The PR also fixes a bug in directory creation and adds GitHub context support for release events.

Key Changes

• New update-release safe output with three operations: replace (full replacement), append (add at end with separator), prepend (add at start with separator)
• Tag inference from release event context or workflow dispatch inputs
• Integration with safe outputs config generation and tools JSON filtering
• Comprehensive validation in collection, schema, and runtime layers
• Bug fix for directory creation in collect_ndjson_output.cjs (changed from /tmp to /tmp/gh-aw)

Reviewed Changes

Copilot reviewed 90 out of 92 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
schemas/agent-output.json	Adds UpdateReleaseOutput schema definition with validation for tag, operation, and body fields
pkg/workflow/update_release.go	Implements UpdateReleaseConfig struct and job building logic following existing safe output patterns
pkg/workflow/scripts.go	Adds embedding and bundling for update_release.cjs script
pkg/workflow/safe_outputs.go	Integrates update_release into config generation and tools JSON filtering
pkg/workflow/js/update_release.cjs	Core implementation with tag inference, operation handling, and staged mode support
pkg/workflow/js/update_release.test.cjs	Comprehensive test coverage (9 tests) covering all operations and edge cases
pkg/workflow/js/collect_ndjson_output.cjs	Adds validation logic and fixes directory creation bug
pkg/workflow/js/compute_text.cjs	Adds release event and workflow_dispatch support for release context extraction
pkg/workflow/js/safe_outputs_tools.json	Defines update_release tool with proper schema and descriptions
.github/workflows/dev.md	Updates example workflow to demonstrate update-release usage with prepend operation
Multiple .lock.yml files	Consistent integration of validation code and noop configuration across all workflows

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.