Upgrade gh-aw to v0.81.6 and remove unused agentic workflows#1325
Conversation
The scheduled agentic workflows (update-integration-data, ci-coach, issue-arborist, workflow-health-manager) were all failing with "Authentication failed with provider ... (HTTP 401)". The root cause was the outdated gh-aw v0.74.8 firewall / api-proxy stack (v0.25.49), which is incompatible with current Copilot provider authentication. Recompiled all four workflows with gh-aw v0.81.6 (latest stable), which ships an updated firewall stack (v0.27.11) with token steering and digest-pinned images. Changes: - Regenerate all four *.lock.yml files with gh-aw v0.81.6 - Update shared .github/aw/actions-lock.json (setup@v0.81.6 + new setup-cli) - Add generated .github/workflows/agentics-maintenance.yml (v0.81.6 output) - Bump gh-aw pin in copilot-setup-steps.yml to v0.81.6 - Refresh gh-aw doc URLs in agentic-workflows.agent.md to v0.81.6 Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Upgrades the repository’s scheduled agentic GitHub Actions workflows to a newer gh-aw compiler/runtime to address Copilot authentication failures during the agent step, and refreshes related pins/artifacts.
Changes:
- Regenerated agentic workflow lock files with
gh-aw v0.81.6(schema v4, updated firewall/mcp-gateway stack, updated action/image pins). - Updated the shared action lock and Copilot setup workflow to use the new
gh-aw-actions/setup-cli@v0.81.6. - Added the generated
agentics-maintenance.ymlworkflow and updated agent documentation links togh-aw v0.81.6.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-integration-data.lock.yml | Regenerated lock workflow with gh-aw v0.81.6 (new schema/runtime pins). |
| .github/workflows/ci-coach.lock.yml | Regenerated lock workflow with gh-aw v0.81.6 (new schema/runtime pins). |
| .github/workflows/issue-arborist.lock.yml | Regenerated lock workflow with gh-aw v0.81.6 (new schema/runtime pins). |
| .github/workflows/workflow-health-manager.lock.yml | Regenerated lock workflow with gh-aw v0.81.6 (new schema/runtime pins). |
| .github/workflows/copilot-setup-steps.yml | Bumped setup-cli action + gh-aw version pin to v0.81.6. |
| .github/workflows/agentics-maintenance.yml | Added generated maintenance workflow emitted by gh-aw v0.81.6. |
| .github/aw/actions-lock.json | Updated shared action lock entries for gh-aw-actions/* to v0.81.6 (incl. setup-cli). |
| .github/agents/agentic-workflows.agent.md | Updated gh-aw documentation URLs to v0.81.6. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # This file defines the generated agentic maintenance workflow for this repository. | ||
| # It runs scheduled cleanup for expiring safe outputs and supports manual maintenance operations. | ||
| # | ||
| # This workflow is generated automatically when workflows use expiring safe outputs | ||
| # or when repository maintenance features are enabled in .github/workflows/aw.json. | ||
| # | ||
| # To disable maintenance workflow generation, set in .github/workflows/aw.json: | ||
| # {"maintenance": false} |
There was a problem hiding this comment.
Good catch — I've updated the PR description to document the actual blast radius rather than the "artifact cleanup" shorthand. The daily cron runs a close-expired-entities job that can close agentic-created discussions, issues, and pull requests once their safe-output expires TTL passes; nothing in this repo sets expires today, so it's effectively a no-op right now, but the capability is present. The description now also lists the manual workflow_dispatch operations and notes it can be disabled via .github/workflows/aw.json {"maintenance": false}. Keeping the workflow for now since update-integration-data's own close-PR logic is self-contained and doesn't depend on it.
Frontend HTML artifact readyThe latest frontend build uploaded the This comment updates automatically when a new frontend build artifact is uploaded. |
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Problem
All four scheduled agentic workflows were failing on every run:
update-integration-data(failing runs)ci-coachissue-arboristworkflow-health-managerEach run aborts in the agent step with a non-retryable error:
Root cause
The lock files were last compiled with gh-aw v0.74.8, whose firewall / api-proxy stack (v0.25.49) is no longer compatible with current Copilot provider authentication. The sandboxed Copilot CLI can't authenticate against the api-proxy, so every run fails before doing any work. This is an infrastructure/tooling issue — the integration-data scripts themselves are fine.
Fix
Two parts:
update-integration-data— the workflow we still want. Recompiled with gh-aw v0.81.6 (latest stable), which ships an updated firewall stack (v0.27.11) with token steering and digest-pinned images.ci-coach,issue-arborist, andworkflow-health-manager— deleted rather than fixed, since we're no longer running them.Changes
update-integration-data(upgraded):update-integration-data.lock.ymlwith gh-aw v0.81.6.github/aw/actions-lock.json(gh-aw-actions/setup@v0.81.6+ newsetup-cliaction).github/workflows/copilot-setup-steps.ymlto v0.81.6.github/agents/agentic-workflows.agent.mdto v0.81.6New file:
.github/workflows/agentics-maintenance.yml— a maintenance companion emitted by the v0.81.6 compiler becauseupdate-integration-datadeclaresclose/createsafe outputs. Its blast radius, to be explicit:37 0 * * *): runs aclose-expired-entitiesjob that can close agentic-created discussions, issues, and pull requests once their safe-outputexpiresTTL has passed. No workflow in this repo setsexpirestoday, so the scheduled job is effectively a no-op right now, but the capability is present.workflow_dispatchoperations:disable,enable,update,upgrade,safe_outputs(replay),create_labels,activity_report,close_agentic_workflows_issues,clean_cache_memories,update_pull_request_branches,validate,forecast.update-integration-data's ownclose-pull-requesthandling lives in its own lock file and does not depend on this workflow..github/workflows/aw.jsonwith{"maintenance": false}and recompiling, if the auto-maintenance behavior isn't wanted.Removed workflows (source + lock deleted):
ci-coach.md/ci-coach.lock.ymlissue-arborist.md/issue-arborist.lock.ymlworkflow-health-manager.md/workflow-health-manager.lock.ymlNotable migration deltas (v0.74.8 → v0.81.6)
body_hash,engine_versions)github-mcp-serverv1.0.4 → v1.4.0; mcp-gateway v0.3.9 → v0.3.30setup-clicomposite action; Copilot CLI engine pinnedsetup-dotnetv5.2.0 → v5.3.0Validation
gh aw compile --validatepasses (0 errors, 0 warnings)update-integration-datasource (.md) changes — only the regenerated artifact and version pins.gitattributes)Once merged, the next scheduled
update-integration-datarun should authenticate and complete successfully.Co-authored-by: Copilot App 223556219+Copilot@users.noreply.github.com