feat: fix runtime-import in cross-repo workflow_call by detecting callee repository at checkout

[Copilot]

In workflow_call context, github.repository is the caller's repo. The activation job's actions/checkout was using that default, so the callee's .md files were never on disk and processRuntimeImport() threw ERR_SYSTEM: Runtime import file not found.

Compiler changes

• hasWorkflowCallTrigger(onSection string) bool (compiler_workflow_call.go) — standalone helper, mirrors the detection pattern already used in injectWorkflowCallOutputs

• (*CheckoutManager).GenerateGitHubFolderCheckoutStep(repository string, getActionPin func) []string (checkout_manager.go) — method on CheckoutManager that centralizes .github/.agents sparse checkout generation; accepts an optional repository value that can be a literal slug or a GitHub Actions expression

• generateCheckoutGitHubFolderForActivation (compiler_activation_job.go) — creates a NewCheckoutManager(nil) and calls the method; when workflow_call is in on: and inlined-imports is not enabled, injects a conditional repository: expression:

  repository: ${{ github.event_name == 'workflow_call' && github.action_repository || github.repository }}

  Falls back to the caller's repo for every other event type, so mixed triggers (e.g. workflow_call + workflow_dispatch) work correctly without a second checkout. When inlined-imports: true is set, the cross-repo conditional is skipped because markdown content is embedded at compile time and no runtime-import macros are used — the callee's .md files are not needed at runtime.

• Cross-repo guidance step (buildActivationJob) — injected only when workflow_call is present; runs on failure() && github.event_name == 'workflow_call' and emits ::error:: annotations directing the caller team to configure COPILOT_GITHUB_TOKEN in their repo.

• secrets: inherit support for reusable workflow call jobs (jobs.go, compiler_jobs.go, JSON schema) — added SecretsInherit bool to the Job struct, updated rendering to emit secrets: inherit, updated the compiler to parse the "inherit" string value (previously only a map was handled), and extended the JSON schema to accept both.

New workflow

• smoke-water.yml — plain GitHub Actions trigger file (matching the pattern of smoke-trigger.yml) that triggers on PR label water (plus workflow_dispatch) and calls smoke-workflow-call.lock.yml with secrets: inherit and the required permissions.

Tests

• TestHasWorkflowCallTrigger — 6 cases covering mixed triggers, empty string, and workflow_dispatch-only
• TestGenerateCheckoutGitHubFolderForActivation_WorkflowCall — verifies conditional repository: is present/absent based on trigger; action-tag skip behavior preserved; inlined-imports case falls back to standard checkout
• TestGenerateGitHubFolderCheckoutStep — covers empty, literal, and expression repository values
• TestBuildJobsWithReusableWorkflowSecretsInherit — verifies secrets: inherit is correctly emitted in compiled YAML for a reusable workflow call job

Docs

• glossary.md Trigger File entry expanded to mention cross-repo usage and secrets: inherit billing implications
• central-repo-ops.mdx — new ## Cross-Repository Trigger File section with example caller stub, visibility requirements, secrets config, and how the compiler handles checkout; corrected an existing incorrect warning that stated secrets: inherit does not work across repos (it does)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[pelikhan]

@copilot disable if inlined-imports is enabled.

[Copilot]

@copilot disable if inlined-imports is enabled.

Done in 3372558. When inlined-imports: true, the markdown is embedded at compile time so no {{#runtime-import}} macros are generated — the callee's .md files are never needed at disk. The !data.InlinedImports guard now skips the cross-repo github.action_repository conditional and falls back to the standard checkout.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build3442969743/b241/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json 2969743/b034/vet.cfg ode user.name (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha run format:cjs /node_modules/.bin/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build3442969743/b068/vet.cfg 2969743/b333/vet.cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build3442969743/b055/vet.cfg 2969743/b355/vet.cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git ath ../../../.prgit (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -unreachable=false /tmp/go-build3442969743/b044/vet.cfg e_modules/.bin/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build3442969743/b111/vet.cfg tnet/tools/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build3442969743/b035/vet.cfg m/_npx/b388654678d519d9/node_modules/.bin/prettier (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build3442969743/b128/vet.cfg nfig/composer/vendor/bin/sh (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build3442969743/b106/vet.cfg (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha ../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ignore-path ../../../.prettierignore (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ignore-path ../../../.prettierignore (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot review modified code and reuse checkout manager to generate checkout code

[Copilot]

@copilot review modified code and reuse checkout manager to generate checkout code

Done in 49acac2. GenerateGitHubFolderCheckoutStep is now a method on *CheckoutManager instead of a standalone package-level function. generateCheckoutGitHubFolderForActivation creates a NewCheckoutManager(nil) and calls the method, properly routing through the checkout manager abstraction.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha te 'scripts/**/*.js' --ignore-path .prettierignore --log-level=error /tmp/go-build2561062014/b116/vet.cfg ache/node/24.14.0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node--show-toplevel (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json 1062014/b047/vet.cfg 0/x64/bin/sh (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --noprofile -tests /home/REDACTED/.local/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git tivation_job.go (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -unreachable=false ine.go bin/node ine_args_integragit ine_args_test.gorev-parse ine_concurrency_--show-toplevel ine_concurrency_test.go ache�� ine_firewall_support.go ine_firewall_support_test.go cal/bin/sh ine_helpers_githgit ine_helpers_secrrev-parse r ine_helpers_test.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -unreachable=false /tmp/go-build2561062014/b027/vet.cfg in/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git k/_temp/copilot-git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -unreachable=false /tmp/go-build2561062014/b011/vet.cfg k/_temp/uv-python-dir/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -unreachable=false /tmp/go-build2561062014/b030/vet.cfg k/node_modules/.bin/sh INVALID,NEW -j ode-gyp-bin/node--show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� te 'scripts/**/*.js' --ignore-path .prettierignore --log-level=e!../../../pkg/workflow/js/**/*.jgit -buildtags sh -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build2561062014/b040/vet.cfg k/_temp/uv-python-dir/sh (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -unreachable=false /tmp/go-build2561062014/b028/vet.cfg k/gh-aw/gh-aw/node_modules/.bin/sh 0 -j ACCEPT /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� te 'scripts/**/*.js' --ignore-path .prettierignore --log-level=e!../../../pkg/workflow/js/**/*.jgit /tmp/go-build2561062014/b144/vet.cfg p/bin/sh (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha ting JavaScript files..." /tmp/go-build2561062014/b021/vet.cfg ache/node/24.14.0/x64/bin/node 0 -j ACCEPT /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet ache�� -unreachable=false /tmp/go-build2561062014/b097/vet.cfg rgo/bin/sh (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --local .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ignore-path ../../../.prettierignore (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ignore-path ../../../.prettierignore ler_yaml.go x_amd64/vet (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot add a agentic workflow that uses smoke-workflow-call agentic workflow. Runs on label "water"

[Copilot]

@copilot add a agentic workflow that uses smoke-workflow-call agentic workflow. Runs on label "water"

Done in 539dc0c. Added smoke-water.md — an agentic workflow that runs on the water label and delegates to smoke-workflow-call via a jobs: uses: entry with secrets: inherit. Also added compiler support for secrets: inherit on reusable workflow call jobs (Job struct field, compiler parsing, JSON schema update, and a new test).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw pull.rebase x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git --noprofile (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 6896948/b005/vetjs/fuzz_mentions_harness.cjs .cfg git ch --show-toplevel ache/go/1.25.0/x64/pkg/tool/linu--jq /usr/bin/git se 6896948/b209/vetjs/fuzz_sanitize_output_harness.cjs ache/go/1.25.0/x64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 6896948/b038/vetjs/fuzz_mentions_harness.cjs ache/go/1.25.0/x64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 6896948/b211/vetjs/fuzz_sanitize_output_harness.cjs 0/x64/lib/node_modules/npm/node_--show-toplevel git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -stringintconv -tests bin/bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -test.paniconexit0 150351/b436/_testmain.go ache/node/24.14.0/x64/bin/node -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel ache/node/24.14.0/x64/bin/node 3519�� uts.branch Test User /usr/bin/git hmzQ/2Ot_0ZiPKXQgit GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --get remote.origin.url 0/x64/bin/node -json GO111MODULE ache/go/1.25.0/x--show-toplevel 0/x64/bin/node rev-�� --show-toplevel go /usr/bin/git */*.ts' '**/*.jsgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE 150351/b366/vet.cfg GOINSECURE GOMOD GOMODCACHE go env -json l 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE 0/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha GOMODCACHE go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --git-dir go /usr/lib/git-core/git-remote-https -json GO111MODULE 64/bin/go /usr/lib/git-core/git-remote-https (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --noprofile k/gh-aw/gh-aw/pkg/workflow/compi-ifaceassert x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha run format:cjs /opt/hostedtoolcache/node/24.14.0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/n--show-toplevel (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git --noprofile (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build2756896948/b237/vet.cfg cal/bin/sh k/_temp/copilot-git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json -buildtags /snap/bin/bash -errorsas -ifaceassert -nilfunc bash --no�� te 'scripts/**/*.js' --ignore-path .prettierignore --log-level=error -tests e_modules/.bin/node g/workflow/prompgit g/workflow/promprev-parse g/workflow/.gith--show-toplevel bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git ath ../../../.prgit /home/REDACTED/worrev-parse cal/bin/bash git rev-�� --show-toplevel bash /usr/bin/git re --log-level=egit /home/REDACTED/worrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -unreachable=false /tmp/go-build2756896948/b177/vet.cfg es/.bin/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build2756896948/b227/vet.cfg sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json -buildtags m/_npx/b388654678d519d9/node_modules/.bin/node -errorsas -ifaceassert -nilfunc bash m/_n�� --noprofile -tests in/node g/workflow/prompgit r g/workflow/.gith--show-toplevel bash (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json -buildtags p/bin/sh -errorsas -ifaceassert ode-gyp-bin/sh bash --no�� te 'scripts/**/*.js' --ignore-path .prettierignore --log-level=error -tests k/gh-aw/gh-aw/actions/setup/node_modules/.bin/node g/workflow/prompgit g/workflow/promprev-parse g/workflow/.gith--show-toplevel bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/gh-aw-test-runs/20260310-054628-36758/test-2080537318/.github/workflows rev-parse /usr/bin/git g/mathutil/mathugit GO111MODULE 64/bin/go git rev-�� --show-toplevel ache/go/1.25.0/xGO111MODULE /usr/bin/git 9959776/b369/_pkgit GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/gh-aw-test-runs/20260310-055103-50894/test-3507501784/.github/workflows config e/git remote.origin.urgit GO111MODULE 64/bin/go e/git -C /tmp/gh-aw-test-runs/20260310-055103-50894/test-3469353632/.github/workflows config /usr/bin/git remote.origin.urgit GO111MODULE ache/go/1.25.0/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build2756896948/b240/vet.cfg rgo/bin/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel -extld=gcc /usr/bin/git ck '**/*.cjs' '*git GO111MODULE 64/bin/go git rev-�� --show-toplevel ache/go/1.25.0/xGO111MODULE /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel l /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /opt/hostedtoolcache/node/24.14.0/x64/bin/node 49/001/test-frongit GO111MODULE bin/sh node (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha ../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore c n-dir/bash - ng-potd.md (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha artifacts-summary.md GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-nilfunc GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha user.name Test User /usr/bin/git ath ../../../.prgit git 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 6896948/b229/vetjs/fuzz_sanitize_output_harness.cjs ules/.bin/sh git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git .js' --ignore-pagit 6896948/b350/vet-C p/bin/bash git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GOPROXY /home/REDACTED/go/bin/node GOSUMDB GOWORK 64/bin/go node /hom�� ithub-script/git/ref/tags/v8 scripts/**/*.js /usr/bin/git .prettierignore git 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 l 6324005/b426/vet.cfg GOSUMDB GOWORK 64/bin/go sh -c "prettier" --check 'scripts/**/*.js' --ignore-path .prettierignore git /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet tierignore git 64/bin/go /opt/hostedtoolcache/go/1.25.0/xrev-parse (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GOPROXY 6324005/b427/vet.cfg GOSUMDB GOWORK 64/bin/go sh -c ErrorFormatting672476989/001 git 0/x64/bin/node tierignore git 64/bin/go /tmp/go-build3046324005/b409/parconfig (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE a7/uvoaxXZ6SdsIYorigin (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 --check /bin/sh **/*.ts **/*.json --ignore-path /bin/sh -c r/repo.git git /usr/bin/git tierignore git 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GOPROXY (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 --check ache/node/24.14.0/x64/bin/node **/*.ts **/*.json --ignore-path /bin/sh t-14�� k/gh-aw/gh-aw/.github/workflows/audit-workflows.md git /usr/bin/git tierignore git 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/cgo GOINSECURE GOMOD GOMODCACHE x_amd64/cgo env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 **/*.cjs ache/node/24.14.0/x64/bin/node **/*.json flow-12345 ../../../.pretti--show-toplevel node t-23�� k/gh-aw/gh-aw/.github/workflows/audit-workflows.md scripts/**/*.js 0/x64/bin/node .prettierignore git 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE QA0cwennxJgL env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path npx prettier --wGOINSECURE git 64/bin/go --show-toplevel er.test 64/bin/node node /hom�� --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro-c /usr/bin/gh node (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path es.md GO111MODULE oFiles,IgnoredOtherFiles,CFiles,CgoFiles,CXXFiles,MFiles,HFiles,FFiles,SFiles,SwigFiles,SwigCXXF--show-toplevel GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE n-dir/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha --show-toplevel ortcfg /usr/bin/git '**/*.ts' '**/*.node g/workflow/imporjs/fuzz_sanitize_output_harness.cjs 64/bin/sh git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git .js' --ignore-pa/usr/bin/gh (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ignore-path ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --write ../../../**/*.jsGOWORK 64/bin/go --ignore-path ../../../.pretti-V=full /usr/bin/git go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha */*.ts' '**/*.jstest-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu--json env -json GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha tformat GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE c0680e9215793300-atomic GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha prettier --write modules/@npmcli/run-script/lib/node-gyp-bin/node !../../../pkg/wobash --ignore-path ../../../.pretti--noprofile go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/pkg/tool/linu168.63.129.16 GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuowner env -json GO111MODULE ache/go/1.25.0/xACCEPT GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel nly /usr/bin/git */*.ts' '**/*.js/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ignore-path ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha tmatter-with-nested-objects.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1714287411/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha 2238550895/.github/workflows GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.--workflow GO111MODULE ache/go/1.25.0/x--limit GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion **/*.json --ignore-path ../../../.pretti--show-toplevel 64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go --show-toplevel go /usr/bin/git node /hom�� --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro-c /usr/bin/git go (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build450150351/b383/cli.test /tmp/go-build450150351/b383/cli.test -test.testlogfile=/tmp/go-build450150351/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD ode-gyp-bin/sh ortcfg k/gh�� ripts/lint_errorGOINSECURE ripts/lint_errorGOMOD 64/bin/go GOINSECURE GOMOD erignore ache/go/1.25.0/xGO111MODULE (http block)
  • Triggering command: /tmp/go-build3046324005/b383/cli.test /tmp/go-build3046324005/b383/cli.test -test.testlogfile=/tmp/go-build3046324005/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --show-toplevel go /usr/bin/git node /opt�� prettier --write 64/bin/go --ignore-path .prettierignore --log-level=erro--check sh (http block)
  • Triggering command: /tmp/go-build2858482903/b359/cli.test /tmp/go-build2858482903/b359/cli.test -test.testlogfile=/tmp/go-build2858482903/b359/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.short=true th .prettierignore GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE h GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name npx prettier --wGOINSECURE git 64/bin/go --show-toplevel 64/pkg/tool/linu/opt/hostedtoolcache/node/24.14.0/x64/bin/npm /usr/bin/git sh -c "prettier" --wriGOSUMDB git 64/bin/go tierignore go /usr/bin/git node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ode GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot convert smoke-water agentic workflow into a simple action .yml file that does the trigger

[Copilot]

@copilot convert smoke-water agentic workflow into a simple action .yml file that does the trigger

Done in c54da2e. Replaced smoke-water.md + smoke-water.lock.yml with a plain smoke-water.yml that directly calls smoke-workflow-call.lock.yml, following the same pattern as smoke-trigger.yml.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

🧪 Smoke Project is now testing project operations...

[github-actions]

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

[github-actions]

📰 BREAKING: Smoke Copilot ARM64 is now investigating this pull request. Sources say the story is developing...

[github-actions]

🧪 Smoke Temporary ID is now testing temporary ID functionality...

[github-actions]

✅ Checkout Validation: PASS

Check	Result
Branch	copilot/add-workflow-call-validation
Workspace	Clean (nothing to commit, working tree clean)
Remote	origin → https://github.com/github/gh-aw.git
Latest commits	c54da2e, 539dc0c, 49acac2

All git commands executed successfully. The PR branch is correctly checked out in the workflow_call context.

🔁 workflow_call smoke test by Smoke Workflow Call · ◷

[github-actions]

✅ Smoke Temporary ID completed successfully. Temporary ID validation passed.

[github-actions]

✅ Smoke Project completed successfully. All project operations validated.

[github-actions]

Smoke Test Results

• GitHub MCP: ✅
• Web Fetch: ✅
• File Writing: ✅
• Bash Tool: ✅
• Build gh-aw: ❌ (Go 1.25.0 required, download failed)

Overall Status: FAIL

✨ Smoke Gemini — Powered by Gemini · ◷

[github-actions]

🦾 ARM64 Smoke Test — Run §22899200728

Architecture: aarch64 ✅ | Author: @Copilot | Assignees: @pelikhan @Copilot

Test	Result
Architecture (aarch64)	✅
GitHub MCP (merged PRs #20328, #20323)	✅
MCP Scripts GH CLI (#20333, #20332)	✅
Serena MCP	❌ not configured
Playwright (github.com title)	✅
File Writing + Bash	✅
Discussion Interaction (#20334)	✅
Build (make build on ARM64)	✅
Discussion Creation	✅
Haiku Dispatch	✅
PR Review (inline comments)	✅

Overall: ⚠️ PASS (11/12 — Serena MCP not available in this config)

📰 BREAKING: Report filed by Smoke Copilot ARM64 · ◷

[github-actions]

ARM64 smoke test agent reviewed PR #20301. The cross-repo workflow_call checkout fix looks solid — centralizing .github/.agents checkout into GenerateGitHubFolderCheckoutStep is a clean refactor, and the conditional github.action_repository expression correctly handles mixed triggers. The secrets: inherit support is well-implemented. One minor nit on strings.Contains for trigger detection (see inline). Overall good work! ✅

📰 BREAKING: Report filed by Smoke Copilot ARM64

[github-actions]

strings.Contains works fine for the current on: YAML formats, but worth noting this could theoretically false-positive on a custom event key that contains the substring workflow_call (e.g. workflow_call_custom). A more precise approach using word-boundary regex or YAML parsing would be more robust, though it may be overkill given the current serialized YAML format used internally.

[github-actions]

Nice refactor! Centralizing the .github/.agents checkout logic into GenerateGitHubFolderCheckoutStep eliminates the duplicate inline YAML construction. The repository parameter design is clean — empty string = current repo, expression = cross-repo. The ordering of persist-credentials: false before sparse-checkout also fixes the inconsistency present in the old lock files.

[github-actions]

📰 VERDICT: Smoke Copilot ARM64 has concluded. All systems operational. This is a developing story. 🎤

[Copilot]

Pull request overview

Fixes cross-repository workflow_call runtime-import failures by making the activation job check out the callee repository (when needed) and adds first-class support for secrets: inherit on reusable-workflow call jobs.

Changes:

• Add workflow_call trigger detection and use it to inject a cross-repo-aware .github/.agents sparse checkout (skipped when inlined-imports is enabled).
• Add secrets: inherit support for reusable workflow call jobs across parsing, rendering, tests, and schema validation.
• Update documentation and regenerate workflow lock/golden outputs to reflect the new checkout step rendering and cross-repo guidance.

Reviewed changes

Copilot reviewed 180 out of 180 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/workflow/compiler_workflow_call.go	Adds hasWorkflowCallTrigger helper used for workflow_call detection.
pkg/workflow/compiler_workflow_call_test.go	Adds unit tests for hasWorkflowCallTrigger.
pkg/workflow/checkout_manager.go	Centralizes .github/.agents sparse-checkout step generation with optional repository:.
pkg/workflow/compiler_activation_job.go	Adds cross-repo guidance step; uses centralized checkout generator; injects conditional repository: for workflow_call when not inlining imports.
pkg/workflow/compiler_activation_job_test.go	Adds tests verifying conditional repository: behavior and centralized checkout output.
pkg/workflow/jobs.go	Adds SecretsInherit to Job and renders secrets: inherit for reusable workflow calls.
pkg/workflow/compiler_jobs.go	Parses secrets: inherit for reusable workflow call jobs.
pkg/workflow/compiler_jobs_test.go	Adds test ensuring compiled YAML emits secrets: inherit for reusable workflow call jobs.
pkg/parser/schemas/main_workflow_schema.json	Extends schema to allow secrets to be either "inherit" or an object map.
docs/src/content/docs/reference/glossary.md	Expands “Trigger File” entry to cover cross-repo usage and secrets: inherit implications.
docs/src/content/docs/patterns/central-repo-ops.mdx	Adds “Cross-Repository Trigger File” section and corrects secrets: inherit guidance.
.github/workflows/smoke-water.yml	Adds new trigger workflow calling the reusable workflow with secrets: inherit.
.github/workflows/smoke-workflow-call.lock.yml	Updates activation job to include cross-repo guidance and conditional repository: checkout; reorders checkout with: keys.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden	Updates golden output for checkout with: key ordering.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Updates golden output for checkout with: key ordering.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates golden output for checkout with: key ordering.
.github/workflows/workflow-skill-extractor.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/workflow-normalizer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/workflow-health-manager.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/workflow-generator.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/weekly-issue-summary.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/weekly-editors-health-check.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/video-analyzer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/unbloat-docs.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/ubuntu-image-analyzer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/typist.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/tidy.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/test-workflow.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/test-project-url-default.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/test-dispatcher.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/test-create-pr-error-handling.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/terminal-stylist.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/technical-doc-writer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/super-linter.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/sub-issue-closer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/step-name-alignment.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/static-analysis-report.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/stale-repo-identifier.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-update-cross-repo-pr.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-test-tools.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-temporary-id.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-project.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-multi-pr.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-gemini.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-create-cross-repo-pr.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-copilot.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-copilot-arm.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-codex.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-claude.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/smoke-agent.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/slide-deck-maintainer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/sergo.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/semantic-function-refactor.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/security-review.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/security-compliance.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/security-alert-burndown.campaign.g.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/scout.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/schema-consistency-checker.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/safe-output-health.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/research.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/repository-quality-improver.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/repo-tree-map.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/repo-audit-analyzer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/release.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/refiner.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/q.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/python-data-charts.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/prompt-clustering-analysis.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/pr-triage-agent.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/pr-nitpick-reviewer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/portfolio-analyst.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/poem-bot.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/plan.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/pdf-summary.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/org-health-report.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/notion-issue-summary.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/metrics-collector.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/mergefest.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/mcp-inspector.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/lockfile-stats.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/layout-spec-maintainer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/jsweep.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/issue-triage-agent.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/issue-monster.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/issue-arborist.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/instructions-janitor.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/hourly-ci-cleaner.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/grumpy-reviewer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/gpclean.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/go-pattern-detector.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/go-logger.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/go-fan.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/glossary-maintainer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/github-mcp-tools-report.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/github-mcp-structural-analysis.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/functional-pragmatist.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/firewall.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/firewall-escape.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/example-workflow-analyzer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/example-permissions-warning.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/duplicate-code-detector.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/draft-pr-cleanup.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/docs-noob-tester.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/discussion-task-miner.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/dictation-prompt.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/developer-docs-consolidator.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/dev.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/dev-hawk.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/dependabot-go-checker.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/dependabot-burner.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/delight.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/deep-report.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/dead-code-remover.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-workflow-updater.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-testify-uber-super-expert.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-team-status.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-team-evolution-insights.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-syntax-error-quality.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-semgrep-scan.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-security-red-team.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-secrets-analysis.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-safe-outputs-conformance.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-safe-output-optimizer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-repo-chronicle.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-rendering-scripts-verifier.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-regulatory.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-performance-summary.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-observability-report.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-news.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-multi-device-docs-tester.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-issues-report.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-firewall-report.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-file-diet.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-doc-updater.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-doc-healer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-copilot-token-report.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-compiler-quality.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-code-metrics.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-cli-tools-tester.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-cli-performance.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-choice-test.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-assign-issue-to-user.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/daily-architecture-diagram.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/craft.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/copilot-session-insights.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/copilot-pr-prompt-analysis.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/copilot-pr-nlp-analysis.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/copilot-pr-merged-report.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/copilot-cli-deep-research.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/copilot-agent-analysis.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/contribution-check.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/constraint-solving-potd.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/commit-changes-analyzer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/code-simplifier.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/code-scanning-fixer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/cloclo.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/cli-version-checker.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/cli-consistency-checker.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/claude-code-user-docs-review.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/ci-doctor.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/ci-coach.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/chroma-issue-indexer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/changeset.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/breaking-change-checker.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/brave.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/bot-detection.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/blog-auditor.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/auto-triage-issues.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/audit-workflows.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/artifacts-summary.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/archie.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/ai-moderator.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/agent-persona-explorer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/agent-performance-analyzer.lock.yml	Regenerated lock output reflecting checkout with: key ordering.
.github/workflows/ace-editor.lock.yml	Regenerated lock output reflecting checkout with: key ordering.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

secrets parsing silently ignores string values other than the supported literal inherit. Given the schema now only allows the string constant inherit (or a map), this should return a compilation/validation error for any other string (or unsupported type) to avoid producing a reusable-workflow job that unintentionally runs without the intended secrets configuration.