Fix gh-aw workflow issues: label gates, duplicate title prefixes, security restrictions, and Docker image pinning#10
Merged
zircote merged 3 commits intofeature/gh-aw-migrationfrom Feb 21, 2026
Conversation
6 tasks
…ecurity restrictions, and Docker image pinning Co-authored-by: zircote <307960+zircote@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Migrate workflows to GitHub Agentic Workflow format
Fix gh-aw workflow issues: label gates, duplicate title prefixes, security restrictions, and Docker image pinning
Feb 20, 2026
There was a problem hiding this comment.
Pull request overview
This PR fixes four critical issues in the gh-aw workflow migration: duplicate title prefixes, missing label gates, overly permissive security settings, and unpinned Docker images. These changes improve workflow reliability, security, and user experience.
Changes:
- Removed redundant
title-prefixvalues from safe-outputs configurations that were duplicating prefixes already in agent-generated titles - Added label filtering conditions to
pre_activationjobs to prevent workflows from triggering on every opened issue - Restricted agent permissions in weekly-reminder from
--allow-all-tools --allow-all-pathsto explicit path allowlists - Pinned NSIP Docker image to SHA256 digest for supply chain security
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/weekly-reminder.md | Removed redundant "Weekly Farm Check - " title prefix from safe-outputs |
| .github/workflows/weekly-reminder.lock.yml | Updated compiled workflow: removed title prefix from config JSON and replaced --allow-all-tools --allow-all-paths with explicit --allow-path restrictions |
| .github/workflows/flock-action.md | Removed redundant "[Flock Action] " title prefix and pinned nsip Docker image to SHA256 digest |
| .github/workflows/flock-action.lock.yml | Updated compiled workflow: removed title prefix from config JSON, pinned nsip image digest, and added label gate to pre_activation job |
| .github/workflows/eov-seasonal-reminder.md | Removed redundant "EOV " title prefix from safe-outputs |
| .github/workflows/eov-seasonal-reminder.lock.yml | Updated compiled workflow: removed title prefix from config JSON |
| .github/workflows/eov-enrichment.lock.yml | Added multi-label gate to pre_activation job to filter EOV-related issues |
zircote
added a commit
that referenced
this pull request
Feb 21, 2026
* Migrate 4 workflows to GitHub Agentic Workflow (gh-aw) format Replace YAML workflows that assigned copilot-swe-agent or used github-script with unified gh-aw markdown files that combine trigger configuration and agent instructions in a single file. Migrated workflows: - flock-action: NSIP breeding analysis (consolidates .yml + instructions) - eov-enrichment: EOV ecological monitoring (consolidates .yml + instructions) - weekly-reminder: Monday farm checklist creation - eov-seasonal-reminder: Quarterly ecological monitoring reminder Kept as YAML (not agentic): - copilot-setup-steps.yml (infrastructure setup) - dependabot-automerge.yml (CI reusable workflow) Key improvements in gh-aw format: - Read-only permissions with writes gated through safe-outputs - Reaction feedback (eyes) on event-triggered workflows - Restricted bash allowlists (least-privilege) - Lock-for-agent to prevent concurrent processing - Duplicate detection for scheduled workflows - Edge case handling for invalid inputs - Branch-prefix constraints on PR creation * Fix compile errors and add compiled .lock.yml files - Remove unsupported `reaction` and `branch-prefix` fields - Fix bash tool syntax (array format, not object) - Remove unsupported `max`/`discussions` on safe-outputs - Add compiled .lock.yml for all 4 agentic workflows - Add .gitattributes and .github/aw/ from gh-aw compiler * Fix label gates, duplicate title prefixes, allow-all-tools, and image digest pinning (#11) * Initial plan * Fix review comments: label gates, title prefix duplication, security improvements Co-authored-by: zircote <307960+zircote@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: zircote <307960+zircote@users.noreply.github.com> * Fix gh-aw workflow issues: label gates, duplicate title prefixes, security restrictions, and Docker image pinning (#10) * Initial plan * Address review comments: fix duplicate title prefixes, label gates, security restrictions, and Docker image pinning Co-authored-by: zircote <307960+zircote@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: zircote <307960+zircote@users.noreply.github.com> Co-authored-by: Robert Allen <zircote@gmail.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: zircote <307960+zircote@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Four categories of issues identified in the gh-aw workflow migration PR review.
Duplicate title prefixes
safe-outputstitle-prefixvalues were redundant with the titles the agent was instructed to construct, resulting in doubled prefixes (e.g.,"Weekly Farm Check - Weekly Farm Check - Week N"). Removedtitle-prefixfromweekly-reminder.md,eov-seasonal-reminder.md, andflock-action.md, with matching updates toGH_AW_SAFE_OUTPUTS_HANDLER_CONFIGin the compiled lock files.Missing label gates
flock-action.lock.ymlandeov-enrichment.lock.ymltriggered on every opened issue with no label filtering, despite the compiler comments claiming otherwise. Addedif:conditions to thepre_activationjob in each:--allow-all-toolsin weekly-reminderweekly-reminder.lock.ymlwas compiled with--allow-all-tools --allow-all-paths, unlike the other workflows which use explicit allowlists. Replaced with--allow-path /tmp/gh-aw/ --allow-path "${GITHUB_WORKSPACE}".Mutable Docker image reference
ghcr.io/zircote/nsipwas referenced by tag only (supply chain risk). Pinned to digest in bothflock-action.mdandflock-action.lock.yml:✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.