Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8d28371f-1b2f-4b6b-95b0-b9c54794aa37 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…of git describe Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8d28371f-1b2f-4b6b-95b0-b9c54794aa37 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the Instructions Janitor workflow instructions to determine the “latest release” baseline via the GitHub MCP API (instead of git describe, which is unreliable in shallow clones), and regenerates related locked workflow artifacts.
Changes:
- Replaced
git describe --tags --abbrev=0guidance withget_latest_release(owner="github", repo="gh-aw"), and madeRELEASE_DATEexplicitly come frompublished_at. - Removed
git describefrom the Instructions Janitor bash allowlist / allowed-tools in the locked workflow. - Regenerated
daily-doc-updater.lock.yml(cache key change) and added trusted-users guard configuration.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| .github/workflows/instructions-janitor.md | Switches “latest release” discovery to get_latest_release and documents using published_at as RELEASE_DATE. |
| .github/workflows/instructions-janitor.lock.yml | Regenerated lock file removing git describe from allowed bash/tools and updating embedded prompt IDs/config blocks. |
| .github/workflows/daily-doc-updater.lock.yml | Regenerated lock file updating cache key and adding trusted-users parsing + guard policy field. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ```bash | ||
| git describe --tags --abbrev=0 | ||
| ``` |
There was a problem hiding this comment.
The code fence for the get_latest_release(...) call is missing a language tag (e.g., text). This file’s own style guidelines (see “Use YAML/markdown code blocks with appropriate language tags”) and other workflow instruction files use language tags, so this block should be updated for consistency/readability.
| ``` | |
| ```text |
| ```bash | ||
| # Get documentation commits since the last release | ||
| git log --since="RELEASE_DATE" --pretty=format:"%h %s" -- docs/ | ||
| ``` |
There was a problem hiding this comment.
Step 2 shows git log --since="RELEASE_DATE" --pretty=format:"%h %s" -- docs/, but the workflow’s allowed bash command in frontmatter is git log --since='*' --pretty=format:'%h %s' -- docs/ (single quotes). If the agent follows the documented command literally, it may be rejected by the bash allowlist. Please align the documented command’s quoting/pattern with the allowed command (or expand the allowlist to cover the documented form).
|
|
||
| If no tags exist, use the date from the CHANGELOG.md file to find the latest release version. | ||
| Use the `tag_name` field as the release version and the `published_at` field as `RELEASE_DATE`. | ||
|
|
There was a problem hiding this comment.
The previous instructions included a fallback for repos without tags; after switching to get_latest_release, there’s no equivalent guidance for the case where the repo has no releases / the API returns 404. Without a fallback, the workflow run may get stuck without a RELEASE_DATE baseline. Consider documenting a deterministic fallback (e.g., use the most recent tag via list_tags, or use the latest CHANGELOG entry date) when get_latest_release returns no result.
| If `get_latest_release` returns no result (for example, the repository has no releases and the API returns 404), fall back to a deterministic baseline: | |
| - Use the GitHub toolset to list tags and select the most recent tag: | |
| - `list_tags(owner="github", repo="gh-aw")` (or equivalent). | |
| - Use the latest tag’s `name` as the release version. | |
| - Set `RELEASE_DATE` to the commit date of that tag (for example, via `git log -1 --format="%aI" TAG_NAME` or the corresponding commit date from the GitHub API). |
| - name: Parse integrity filter lists | ||
| id: parse-guard-vars | ||
| env: | ||
| GH_AW_BLOCKED_USERS_VAR: ${{ vars.GH_AW_GITHUB_BLOCKED_USERS || '' }} | ||
| GH_AW_TRUSTED_USERS_VAR: ${{ vars.GH_AW_GITHUB_TRUSTED_USERS || '' }} | ||
| GH_AW_APPROVAL_LABELS_EXTRA: cookie | ||
| GH_AW_APPROVAL_LABELS_VAR: ${{ vars.GH_AW_GITHUB_APPROVAL_LABELS || '' }} | ||
| run: bash ${RUNNER_TEMP}/gh-aw/actions/parse_guard_list.sh |
There was a problem hiding this comment.
This PR’s description focuses on switching Instructions Janitor from git describe to get_latest_release, but this workflow also adds trusted-user parsing (GH_AW_TRUSTED_USERS_VAR) and consumes steps.parse-guard-vars.outputs.trusted_users. Please confirm this behavior change is intentional (and, if so, consider calling it out in the PR description since it affects guard policy configuration).
| "allow-only": { | ||
| "approval-labels": ${{ steps.parse-guard-vars.outputs.approval_labels }}, | ||
| "blocked-users": ${{ steps.parse-guard-vars.outputs.blocked_users }}, | ||
| "min-integrity": "approved", | ||
| "repos": "all" | ||
| "repos": "all", | ||
| "trusted-users": ${{ steps.parse-guard-vars.outputs.trusted_users }} | ||
| } |
There was a problem hiding this comment.
The allow-only guard policy now includes a trusted-users field. Since this changes authorization semantics for GitHub MCP calls in this workflow, it would be good to confirm the intended trusted-user source/behavior (and ensure the corresponding org/repo variable GH_AW_GITHUB_TRUSTED_USERS is set appropriately where this workflow runs).
git describe --tags --abbrev=0fails silently in shallow clones (GitHub Actions default), causing the workflow to fall back to a stale/incorrect release version when determining what documentation changes to review.Changes
git describe --tags --abbrev=0from allowed bash commandsget_latest_release(owner="github", repo="gh-aw")via GitHub MCP — always accurate regardless of git clone depthRELEASE_DATEfrom thepublished_atfield of the MCP response rather than leaving it implicit