Skip to content

Harden validate-yaml release-build lockfile detection in CGO workflow#38112

Merged
pelikhan merged 4 commits into
mainfrom
copilot/fix-cgo-workflow-failure
Jun 9, 2026
Merged

Harden validate-yaml release-build lockfile detection in CGO workflow#38112
pelikhan merged 4 commits into
mainfrom
copilot/fix-cgo-workflow-failure

Conversation

Copilot AI commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

CGO run #11194 failed in validate-yaml because a release-compiled workflow lockfile reached main. The existing guard only matched one release marker pattern and missed other valid release signatures.

  • Root cause addressed

    • Expanded lockfile validation in .github/workflows/cgo.yml to detect release builds via either:
      • header marker: generated by gh-aw (vX.Y.Z)
      • metadata marker: "compiler_version" in gh-aw-metadata

  • Validation logic update

    • Reworked per-file check to capture and report detected marker lines directly.
    • Kept failure semantics the same: any release marker in committed *.lock.yml fails validate-yaml.

  • Operator-facing output

    • Updated messaging from “version in header” to “release markers (header or metadata)” for clearer triage.
HEADER_MARKER=$(grep -E '^# This file was automatically generated by gh-aw \([v0-9]' "$file" || true)
METADATA_MARKER=$(grep -E '^# gh-aw-metadata: .*"compiler_version":' "$file" || true)

if [ -n "$HEADER_MARKER$METADATA_MARKER" ]; then
  echo "❌ ERROR: Found release-compiled lock file: $file"
  printf '%s\n%s\n' "$HEADER_MARKER" "$METADATA_MARKER" | sed '/^$/d'
fi

Copilot AI linked an issue Jun 9, 2026 that may be closed by this pull request
[CGO] Workflow failure on main - Run #11194 #38111
Closed
Copilot AI and others added 3 commits June 9, 2026 12:59
@pelikhan
chore: start investigating validate-yaml workflow failure
1e6cb80 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: harden cgo lock-file release marker detection
d7429d7 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
refactor: simplify cgo release-marker check logic
5eac015 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix CGO workflow failure on main branch Harden validate-yaml release-build lockfile detection in CGO workflow Jun 9, 2026
Copilot AI requested a review from pelikhan June 9, 2026 13:09
@pelikhan pelikhan marked this pull request as ready for review June 9, 2026 13:16
Copilot AI review requested due to automatic review settings June 9, 2026 13:16
@pelikhan pelikhan merged commit 336c289 into main Jun 9, 2026
@pelikhan pelikhan deleted the copilot/fix-cgo-workflow-failure branch June 9, 2026 13:16
Copilot AI reviewed Jun 9, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the validate-yaml guard in the CGO workflow so committed *.lock.yml files are rejected when they contain either supported release-build signature (versioned header marker or compiler_version in gh-aw-metadata), improving detection and triage output.

Changes:

  • Expand .lock.yml release-build detection in .github/workflows/cgo.yml to match both header and metadata release markers, and print the matched marker lines.
  • Regenerate .github/workflows/daily-safeoutputs-git-simulator.lock.yml, removing release markers (notably compiler_version / versioned header) and updating the compiled workflow content.
Show a summary per file
File Description
.github/workflows/cgo.yml Updates the validate-yaml lockfile scan to detect and report both header-based and metadata-based release-build markers.
.github/workflows/daily-safeoutputs-git-simulator.lock.yml Regenerates a compiled workflow lockfile to a dev-compiled form (no release markers) alongside a large set of generated workflow updates.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1

Comment thread .github/workflows/daily-safeoutputs-git-simulator.lock.yml
Comment on lines +1 to 4
# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"3c36c6ee7382018cd9c6f0dbe3b6c652c4db0da12899fc87a1586c148e9a76d6","body_hash":"63a8dc174c0c6c76a516ac3f4e2109d461f847da65c70ef77adc4f0ab0f2186b","strict":true,"agent_id":"claude","engine_versions":{"claude":"2.1.168"}}
# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_CI_TRIGGER_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.68"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.68"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.25.68"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.68"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.25","digest":"sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa"},{"image":"ghcr.io/github/github-mcp-server:v1.1.2","digest":"sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c","pinned_image":"ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c"},{"image":"node:lts-alpine","digest":"sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14","pinned_image":"node:lts-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14"}]}
# ___ _ _
# / _ \ | | (_)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CGO] Workflow failure on main - Run #11194

3 participants

@pelikhan