Skip to content

Upgrade gh-aw to v0.81.6 and remove unused agentic workflows#1325

Merged
IEvangelist merged 2 commits into
mainfrom
ievangelist-fix-integration-updater
Jul 2, 2026
Merged

Upgrade gh-aw to v0.81.6 and remove unused agentic workflows#1325
IEvangelist merged 2 commits into
mainfrom
ievangelist-fix-integration-updater

Conversation

@IEvangelist

@IEvangelist IEvangelist commented Jul 2, 2026

Copy link
Copy Markdown
Member

Problem

All four scheduled agentic workflows were failing on every run:

  • update-integration-data (failing runs)
  • ci-coach
  • issue-arborist
  • workflow-health-manager

Each run aborts in the agent step with a non-retryable error:

Authentication failed with provider at http://172.30.0.30:10002 (HTTP 401)

Root cause

The lock files were last compiled with gh-aw v0.74.8, whose firewall / api-proxy stack (v0.25.49) is no longer compatible with current Copilot provider authentication. The sandboxed Copilot CLI can't authenticate against the api-proxy, so every run fails before doing any work. This is an infrastructure/tooling issue — the integration-data scripts themselves are fine.

Fix

Two parts:

  1. Keep and fix update-integration-data — the workflow we still want. Recompiled with gh-aw v0.81.6 (latest stable), which ships an updated firewall stack (v0.27.11) with token steering and digest-pinned images.
  2. Remove ci-coach, issue-arborist, and workflow-health-manager — deleted rather than fixed, since we're no longer running them.

Changes

update-integration-data (upgraded):

  • Regenerate update-integration-data.lock.yml with gh-aw v0.81.6
  • Update shared .github/aw/actions-lock.json (gh-aw-actions/setup@v0.81.6 + new setup-cli action)
  • Bump the gh-aw pin in .github/workflows/copilot-setup-steps.yml to v0.81.6
  • Refresh gh-aw doc URLs in .github/agents/agentic-workflows.agent.md to v0.81.6

New file: .github/workflows/agentics-maintenance.yml — a maintenance companion emitted by the v0.81.6 compiler because update-integration-data declares close/create safe outputs. Its blast radius, to be explicit:

  • Daily cron (37 0 * * *): runs a close-expired-entities job that can close agentic-created discussions, issues, and pull requests once their safe-output expires TTL has passed. No workflow in this repo sets expires today, so the scheduled job is effectively a no-op right now, but the capability is present.
  • Manual workflow_dispatch operations: disable, enable, update, upgrade, safe_outputs (replay), create_labels, activity_report, close_agentic_workflows_issues, clean_cache_memories, update_pull_request_branches, validate, forecast.
  • Standalone: update-integration-data's own close-pull-request handling lives in its own lock file and does not depend on this workflow.
  • Can be disabled by adding .github/workflows/aw.json with {"maintenance": false} and recompiling, if the auto-maintenance behavior isn't wanted.

Removed workflows (source + lock deleted):

  • ci-coach.md / ci-coach.lock.yml
  • issue-arborist.md / issue-arborist.lock.yml
  • workflow-health-manager.md / workflow-health-manager.lock.yml

Notable migration deltas (v0.74.8 → v0.81.6)

  • Lock schema v3 → v4 (adds body_hash, engine_versions)
  • Firewall images 0.25.49 → 0.27.11 (now digest-pinned)
  • github-mcp-server v1.0.4 → v1.4.0; mcp-gateway v0.3.9 → v0.3.30
  • New setup-cli composite action; Copilot CLI engine pinned
  • setup-dotnet v5.2.0 → v5.3.0

Validation

  • gh aw compile --validate passes (0 errors, 0 warnings)
  • No update-integration-data source (.md) changes — only the regenerated artifact and version pins
  • Line endings verified LF in the git index (matches .gitattributes)

Once merged, the next scheduled update-integration-data run should authenticate and complete successfully.

Co-authored-by: Copilot App 223556219+Copilot@users.noreply.github.com

The scheduled agentic workflows (update-integration-data, ci-coach,
issue-arborist, workflow-health-manager) were all failing with
"Authentication failed with provider ... (HTTP 401)". The root cause was
the outdated gh-aw v0.74.8 firewall / api-proxy stack (v0.25.49), which
is incompatible with current Copilot provider authentication.

Recompiled all four workflows with gh-aw v0.81.6 (latest stable), which
ships an updated firewall stack (v0.27.11) with token steering and
digest-pinned images.

Changes:
- Regenerate all four *.lock.yml files with gh-aw v0.81.6
- Update shared .github/aw/actions-lock.json (setup@v0.81.6 + new setup-cli)
- Add generated .github/workflows/agentics-maintenance.yml (v0.81.6 output)
- Bump gh-aw pin in copilot-setup-steps.yml to v0.81.6
- Refresh gh-aw doc URLs in agentic-workflows.agent.md to v0.81.6

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@IEvangelist IEvangelist marked this pull request as ready for review July 2, 2026 12:40
Copilot AI review requested due to automatic review settings July 2, 2026 12:40
@IEvangelist IEvangelist enabled auto-merge (squash) July 2, 2026 12:40

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Upgrades the repository’s scheduled agentic GitHub Actions workflows to a newer gh-aw compiler/runtime to address Copilot authentication failures during the agent step, and refreshes related pins/artifacts.

Changes:

  • Regenerated agentic workflow lock files with gh-aw v0.81.6 (schema v4, updated firewall/mcp-gateway stack, updated action/image pins).
  • Updated the shared action lock and Copilot setup workflow to use the new gh-aw-actions/setup-cli@v0.81.6.
  • Added the generated agentics-maintenance.yml workflow and updated agent documentation links to gh-aw v0.81.6.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/update-integration-data.lock.yml Regenerated lock workflow with gh-aw v0.81.6 (new schema/runtime pins).
.github/workflows/ci-coach.lock.yml Regenerated lock workflow with gh-aw v0.81.6 (new schema/runtime pins).
.github/workflows/issue-arborist.lock.yml Regenerated lock workflow with gh-aw v0.81.6 (new schema/runtime pins).
.github/workflows/workflow-health-manager.lock.yml Regenerated lock workflow with gh-aw v0.81.6 (new schema/runtime pins).
.github/workflows/copilot-setup-steps.yml Bumped setup-cli action + gh-aw version pin to v0.81.6.
.github/workflows/agentics-maintenance.yml Added generated maintenance workflow emitted by gh-aw v0.81.6.
.github/aw/actions-lock.json Updated shared action lock entries for gh-aw-actions/* to v0.81.6 (incl. setup-cli).
.github/agents/agentic-workflows.agent.md Updated gh-aw documentation URLs to v0.81.6.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +24 to +31
# This file defines the generated agentic maintenance workflow for this repository.
# It runs scheduled cleanup for expiring safe outputs and supports manual maintenance operations.
#
# This workflow is generated automatically when workflows use expiring safe outputs
# or when repository maintenance features are enabled in .github/workflows/aw.json.
#
# To disable maintenance workflow generation, set in .github/workflows/aw.json:
# {"maintenance": false}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — I've updated the PR description to document the actual blast radius rather than the "artifact cleanup" shorthand. The daily cron runs a close-expired-entities job that can close agentic-created discussions, issues, and pull requests once their safe-output expires TTL passes; nothing in this repo sets expires today, so it's effectively a no-op right now, but the capability is present. The description now also lists the manual workflow_dispatch operations and notes it can be disabled via .github/workflows/aw.json {"maintenance": false}. Keeping the workflow for now since update-integration-data's own close-PR logic is self-contained and doesn't depend on it.

@aspire-repo-bot

Copy link
Copy Markdown
Contributor

Frontend HTML artifact ready

The latest frontend build uploaded the frontend-dist artifact for PR #1325. Use the VS Code button below to open this PR with GitHub Artifacts Explorer and browse the built HTML locally.

VS Code: Open PR #1325 artifacts

This comment updates automatically when a new frontend build artifact is uploaded.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@IEvangelist IEvangelist changed the title Fix agentic workflows by upgrading gh-aw to v0.81.6 Upgrade gh-aw to v0.81.6 and remove unused agentic workflows Jul 2, 2026
@IEvangelist IEvangelist merged commit c6d2416 into main Jul 2, 2026
10 checks passed
@IEvangelist IEvangelist deleted the ievangelist-fix-integration-updater branch July 2, 2026 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants