fix(audit): surface ##[error] annotations from flat GitHub Actions log files

[Copilot]

The audit command reported error_count: N but left the errors array empty for failed runs, because extractPreAgentStepErrors only scanned the hierarchical log format (workflow-logs/{job_name}/{step}.txt) and silently skipped flat per-job files (workflow-logs/{N}_{job_name}.txt) that GitHub Actions also produces.

Changes

audit_report.go — flat log file scanning

• extractPreAgentStepErrors now handles both log zip layouts:
  • Hierarchical: workflow-logs/activation/3_Generate agentic run info.txt
  • Flat: workflow-logs/3_activation.txt ← was silently skipped
• Flat .txt files at the root of workflow-logs/ are scanned for ##[error] annotations with the same logic as step files; the lastStep fallback also tracks flat files by number prefix

audit_report_analysis.go — richer key findings

• "Workflow Failed" finding description now appends the first error message (truncated to 200 chars), surfacing the root cause directly in key_findings without requiring users to dig into errors
• Fixed misleading recommendation example ("Check the Errors section below") — now references the errors field

Before:

"key_findings": [{"title": "Workflow Failed", "description": "Workflow 'Issue Monster' failed with 1 error(s)"}],
"errors": []

After:

"key_findings": [{"title": "Workflow Failed", "description": "Workflow 'Issue Monster' failed with 1 error(s): ##[error]Lockdown mode is enabled (lockdown: true) but no custom GitHub token is configured..."}],
"errors": [{"type": "step_failure", "file": "activation", "message": "##[error]Lockdown mode is enabled..."}]

audit_report_test.go — new test coverage

• extracts ##[error] from flat job log files — exact scenario from the issue (3_activation.txt)
• falls back to last flat job log when no ##[error] in flat files
• flat job logs and subdirectory step logs are both scanned — mixed format
• Long error message truncation in finding description

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/artifacts-summary.md -buildtags (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE ache/node/24.14.0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go t-36�� sistency_GoAndJavaScript1132060841/001/test-complex-frontmatter--errorsas GO111MODULE ache/node/24.14.0/x64/bin/node GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel sh /usr/bin/git npx prettier --cgit GOPROXY 64/bin/go git rev-�� --show-toplevel sh /usr/bin/infocmp "prettier" --chegit sh 64/bin/go infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel tr/ytUgHB2WOGAJoX6mK9KE/Es5JHOhs-dwarf=false /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/gh-aw-test-runs/20260307-024458-27804/test-198204686/.github/workflows 639530/b422/_testmain.go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link -o /tmp/go-build584639530/b422/styles.test -importcfg /usr/bin/git -s -w -buildmode=exe git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg k/gh�� d8004da17dedc443GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD erignore ache/go/1.25.0/xGO111MODULE (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build584639530/b374/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/access_log.go /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/actionlint.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha e45609a1afb980edGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 6043315/b391/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/pkg/styles/theme.go k/gh-aw/gh-aw/pkg/styles/theme_test.go /opt/hostedtoolcache/node/24.14.0/x64/bin/node -json GO111MODULE 64/bin/go node /tmp�� /tmp/TestHashConsistency_GoAndJavaScript1132060841/001/test-empty-frontmatter.md _dSwIDR3-ZWO (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/gh-aw-test-runs/20260307-024458-27804/test-2015483775/.github/workflows rev-parse /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -json GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build584639530/b418/_pkg_.a -trimpath /opt/hostedtoolcache/node/24.14.0/x64/bin/node -p github.com/githurev-parse -lang=go1.25 node (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -json GO111MODULE epo.git GOINSECURE GOMOD GOMODCACHE 639530/b405/mathutil.test e=/t�� t0 GO111MODULE (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE cal/bin/sh GOINSECURE GOMOD GOMODCACHE go env /v2.0.0 GO111MODULE x_amd64/link GOINSECURE GOMOD ode-gyp-bin/sh x_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE wJ/GFtmVa307QDDNuUCuh0B/-q2laYTO-trimpath (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE ache/uv/0.10.9/x86_64/sh GOINSECURE GOMOD GOMODCACHE go env heck '**/*.cjs' @{u} GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE rgo/bin/sh GOINSECURE GOMOD GOMODCACHE go env heck '**/*.cjs' .github/workflows/test.md GO111MODULE k/gh-aw/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE tnet/tools/sh GOINSECURE GOMOD GOMODCACHE ParseStepFilename|TestStripGHALosecurity env heck '**/*.cjs' '**/*.ts' '**/*.-nxv GO111MODULE es/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE nfig/composer/vendor/bin/sh GOINSECURE GOMOD GOMODCACHE go env heck '**/*.cjs' @{u} GO111MODULE k/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE p/bin/sh GOINSECURE GOMOD GOMODCACHE go env heck '**/*.cjs' '**/*.ts' '**/*.OUTPUT GO111MODULE e_modules/.bin/node GOINSECURE GOMOD ode-gyp-bin/sh go (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1020719583/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha npx prettier --wGOSUMDB git 64/bin/go --show-toplevel go /usr/bin/git go env h ../../../.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2450720426/custotest-logs/run-1 GO111MODULE ules/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE H57QtgoEMGWg env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha npx prettier --wGOSUMDB git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env th .prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env ck '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go **/*.ts **/*.json --ignore-path node /opt�� run format:pkg-json 64/bin/go --show-toplevel go /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go **/*.ts **/*.json --ignore-path sh -c npx prettier --wGOSUMDB git 64/bin/go --show-toplevel go /usr/bin/git git (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build584639530/b383/cli.test /tmp/go-build584639530/b383/cli.test -test.testlogfile=/tmp/go-build584639530/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE ortcfg env g/logger/exampleGOINSECURE GO111MODULE 64/bin/go GOINSECURE erignore GOMODCACHE ache/go/1.25.0/xGO111MODULE (http block)
  • Triggering command: /tmp/go-build3213694876/b001/cli.test /tmp/go-build3213694876/b001/cli.test -test.testlogfile=/tmp/go-build3213694876/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.run=^Test npx prettier --wGOINSECURE git 64/bin/go --show-toplevel go /usr/bin/git sh -c "prettier" --wriGOINSECURE git 64/bin/go tierignore go /usr/bin/git node (http block)
  • Triggering command: /tmp/go-build4078561260/b001/cli.test /tmp/go-build4078561260/b001/cli.test -test.testlogfile=/tmp/go-build4078561260/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.short=true -test.run=^Test GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go ache�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name prettier --write 64/bin/go **/*.ts **/*.json --ignore-path npm run format:pkg-json --silent 64/bin/go tierignore go /usr/bin/git /bin/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name on' --ignore-path ../../../.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

This PR fixes gh aw audit so it can extract ##[error] annotations from both hierarchical and flat GitHub Actions log zip layouts, and surfaces the first error message directly in the “Workflow Failed” key finding.

Changes:

• Extend extractPreAgentStepErrors to scan flat per-job log files (workflow-logs/{N}_{job}.txt) in addition to hierarchical step logs.
• Enhance the “Workflow Failed” finding to append a truncated first error message, and update the failure recommendation example text.
• Add unit tests covering flat log extraction, fallback behavior, mixed layouts, and finding-description truncation.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
pkg/cli/audit_report.go	Adds flat job-log scanning for ##[error] annotations and fallback tracking.
pkg/cli/audit_report_analysis.go	Appends truncated first error message to the failure key finding; updates recommendation example text.
pkg/cli/audit_report_test.go	Adds tests for flat log parsing and for key-finding error-message truncation behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

desc appends errors[0].Message verbatim. Error messages extracted from step/job logs can include embedded newlines (e.g., multiple ##[error] lines joined with \n), which will break the indentation/formatting in renderKeyFindings because it prints the description with a single leading indent. Consider normalizing the message for summaries (e.g., replace \r/\n with spaces and collapse whitespace) before truncation/appending so key findings remain single-line and readable.

[Copilot]

The flat-log scan duplicates the same ##[error] extraction logic that’s used later for hierarchical step logs. Consider extracting the shared “scan content for ##[error] lines + strip timestamps + join + truncate” into a helper and reuse it in both places to avoid future drift.