Skip to content

Enforce strict: true for public repositories in lockdown validation#19948

Merged
pelikhan merged 7 commits intomainfrom
copilot/update-lockdown-validation-script
Mar 7, 2026
Merged

Enforce strict: true for public repositories in lockdown validation#19948
pelikhan merged 7 commits intomainfrom
copilot/update-lockdown-validation-script

Conversation

Copy link
Contributor

Copilot AI commented Mar 7, 2026
edited by github-actions bot
Loading

  • Add effectiveStrictMode() helper in compiler_yaml.go (a7a014c)
  • Refactor compiler_orchestrator_engine.go to use effectiveStrictMode() instead of duplicating logic inline (both occurrences)
  • Add unit tests for effectiveStrictMode() covering all cases: CLI flag, frontmatter field, default true, nil frontmatter, non-bool strict field
  • Add documentation: lockdown-mode.md callout, frontmatter.md strict section callout, errors.md runtime error entry
  • Build, lint, and tests pass
Original prompt

Update the lockdown validation script to also enforce strict : true to public repositories.

  • store strictness in metadata (increase metadata version)
  • parse metadata to detect strictness
  • error on public repository and non-strict

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Enforce strict: true for public repositories in lockdown validation

  • Add effectiveStrictMode() helper in compiler_yaml.go (a7a014c)
  • Refactor compiler_orchestrator_engine.go to use effectiveStrictMode() instead of duplicating logic inline (both occurrences)
  • Add unit tests for effectiveStrictMode() covering all cases: CLI flag, frontmatter field, default true, nil frontmatter, non-bool strict field
  • Build, lint, and tests pass
Original prompt

Update the lockdown validation script to also enforce strict : true to public repositories.

  • store strictness in metadata (increase metadata version)
  • parse metadata to detect strictness
  • error on public repository and non-strict

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips]((gh.io/redacted) in the docs.

Changeset

  • Type: patch
  • Description: Lockdown validation now enforces strict: true for public repositories.

Generated by Changeset Generator for issue #19948 ·

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • ab.chatgpt.com
  • github.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "github.com"

See Network Configuration for more information.

✨ PR Review Safe Output Test - Run 22800226769

💥 [THE END] — Illustrated by Smoke Claude ·

@pelikhan
enforce strict mode for public repositories in lockdown validation
c980481 
- Add LockSchemaV2 with Strict bool field in LockMetadata
- Update GenerateLockMetadata to accept strict parameter and emit v2
- Embed GH_AW_COMPILED_STRICT env var in generate_aw_info step
- Error on public repository + non-strict in validate_lockdown_requirements.cjs
- Update tests and golden files

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Mar 7, 2026
Closed
Copilot AI changed the title [WIP] Update lockdown validation script for strictness enforcement Enforce strict: true for public repositories in lockdown validation Mar 7, 2026
@pelikhan
Copy link
Contributor

pelikhan commented Mar 7, 2026

@copilot

  • ensure strictness of metadata is inferred from the source code
  • it seems that all strictness variables are false in the lock files

@pelikhan
fix: infer effective strict mode from frontmatter, not just CLI flag
a7a014c 
The strict metadata and GH_AW_COMPILED_STRICT env var were always using
c.strictMode (the CLI --strict flag), which defaults to false. This meant
all lock files showed strict: false when compiled without --strict.

Add effectiveStrictMode() helper that applies the correct priority:
  CLI flag > frontmatter strict field > default (true)

Update both the lock file metadata header and GH_AW_COMPILED_STRICT env var
to use effectiveStrictMode(data.RawFrontmatter). Update golden files and
recompile all workflows with correct strict values.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 7, 2026
edited
Loading

@copilot

  • ensure strictness of metadata is inferred from the source code...

Fixed in a7a014c.

The root issue was that c.strictMode reflects only the --strict CLI flag (defaults to false), but strict mode can also come from strict: true in the workflow frontmatter and defaults to true when neither is set.

Added effectiveStrictMode(frontmatter map[string]any) bool helper that applies the correct priority: CLI flag → frontmatter strict: field → default (true). Both the lock file metadata header ("strict":true) and GH_AW_COMPILED_STRICT env var now use this.

After recompile, 155/166 workflows show GH_AW_COMPILED_STRICT: "true" and only 11 show "false" — those 11 explicitly set strict: false in their frontmatter.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 5R/Lj8ZoAPaoJ03f-C (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .cfg 64/pkg/tool/linu/tmp/gh-aw git rev-�� --show-toplevel 64/pkg/tool/linu-f /usr/bin/git --get-regexp .cfg r: $owner, name:--show-toplevel git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha TRICT: &#34;false&#34; k/gh-aw/gh-aw/.github/workflows/hourly-ci-cleaner.lock.yml rgo/bin/bash remote.origin.urgit (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /tmp/go-build4088610926/b357/_pkg_.a latest /bin/sh -p github.com/githurev-parse -lang=go1.25 /bin/sh -c k/gh-aw/gh-aw/.github/workflows ithub/workflows/go-logger.lock.yml 0/x64/bin/bash -c=4 -nolocalimports -importcfg git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha get --local ndor/bin/bash pull.rebase (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/grep (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/security-review.lock.yml /usr/bin/git --abbrev-ref code-scan.lock.yrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linurev-parse /usr/bin/git se 8610926/b189/vetrev-parse ache/go/1.25.0/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha k/gh-aw/gh-aw/.github/workflows (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/daily-assign-issue-to-user.lock.rev-parse /usr/bin/git scripts synced git credential.usernrev-parse ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/ubuntu-image-analyzer.lock.yml /usr/bin/git se miner.lock.yml .cfg git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha k/gh-aw/gh-aw/.github/workflows -f /usr/bin/git l owner=github -f git -C TRICT: &#34;false&#34; k/gh-aw/gh-aw/.github/workflows/daily-workflow-updater.lock.yml /usr/bin/git remote.origin.urgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/git remote.origin.urgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha graphql -f /usr/bin/git -f owner=github DiscussionsEnabl--show-toplevel git -C TRICT: &#34;false&#34; k/gh-aw/gh-aw/.github/workflows/github-mcp-tools-report.lock.yml ache/uv/0.10.9/x86_64/bash (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha xterm-color (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl--show-toplevel remote.origin.urgit pported.go 86_64/git git -C TRICT: &#34;false&#34; k/gh-aw/gh-aw/.github/workflows/draft-pr-cleanup.lock.yml p/bin/bash remote.origin.urgit (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha ithub/workflows weekly-issue-summary.lock.yml 1238996/b123/vet.cfg (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha get .cfg 64/pkg/tool/linux_amd64/vet http.https://gitgrep (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha get .cfg 64/pkg/tool/linux_amd64/vet http.https://gitgrep (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan
Copy link
Contributor

pelikhan commented Mar 7, 2026

@copilot the strictness is the runtime value inferred from --script and the strict field.

@pelikhan
Copy link
Contributor

pelikhan commented Mar 7, 2026

@copilot review where strict is used in the compiler and ensure the same logic is used to resolve the runtime value. Add tests.

Copy link
Contributor Author

Copilot AI commented Mar 7, 2026

@copilot the strictness is the runtime value inferred from --script and the strict field.

Yes, that's exactly what effectiveStrictMode() does — it combines --strict CLI flag and the frontmatter strict: field with the priority: CLI flag → frontmatter strict: field → default (true). This was implemented in a7a014c.

@pelikhan
refactor: use effectiveStrictMode() consistently and add tests
f41eefa 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 7, 2026
edited
Loading

@copilot review where strict is used in the compiler and ensure the same logic is used to resolve the runtime value. Add tests.

Done in f41eefa. The two places in compiler_orchestrator_engine.go that duplicated the inline strict-mode resolution logic now call effectiveStrictMode() consistently. Added TestEffectiveStrictMode in compiler_yaml_strict_mode_test.go with 7 cases covering all priority combinations: CLI flag override, frontmatter explicit true/false, default-to-true when neither is set, nil frontmatter, and non-bool strict field.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git init�� GOMODCACHE sh /usr/bin/git npx prettier --cgit GOPROXY 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go t-ha�� ithub/workflows/auto-triage-issues.md GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ndor/bin/bash GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha HEAD .github/workflows/test.md /usr/bin/git che/go-build/f9/git **/*.cjs 64/bin/go git conf�� user.name Test User /usr/bin/git /tmp/go-build226git -trimpath 64/bin/go /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git y.md GO111MODULE 86_64/bash git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ortcfg /tmp/go-build3598705600/b409/parser.test db83e5df68791969git GO111MODULE 64/bin/go /tmp/go-build3598705600/b409/parser.test -tes�� -test.paniconexit0 l ache/node/24.14.0/x64/bin/node -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel ache/node/24.14.0/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/gh-aw-test-runs/20260307-133959-27314/test-3215149552/.github/workflows rev-parse ache/node/24.14.0/x64/bin/node 80bf13b2620176ebgit GO111MODULE 64/bin/go gh t-18�� k/gh-aw/gh-aw/.github/workflows/auto-triage-issues.md --jq ache/node/24.14.0/x64/bin/node 3782396/b384/_pkgit GO111MODULE 64/bin/go ache/node/24.14.0/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ck &#39;**/*.cjs&#39; &#39;*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ript formatting GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ck &#39;scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/pkg/stringutil/ansi.go (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/gh-aw-test-runs/20260307-133959-27314/test-2950494165/.github/workflows rev-parse /tmp/go-build3598705600/b416/sliceutil.test d8004da17dedc443git GO111MODULE 64/bin/go /tmp/go-build3598705600/b416/sliceutil.test -tes�� -test.paniconexit0 -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha eutil.test GO111MODULE ortcfg.link GOINSECURE GOMOD GOMODCACHE FpiJ9ENbZatjTay5oJ/BhqTCoRMGewfss9ZXZGY/X4XoDkfiiEtxJ64HjgrP env 8705600/b413/_pkg_.a GO111MODULE g_.a GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path ck &#39;**/*.cjs&#39; &#39;*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 3782396/b358/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/mathcat-file GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 bagabas/go-udiff--norc GOMODCACHE go env aQFt/j1LVCsnYhPqGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 3782396/b386/importcfg (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/compile -f --format=%T /sys/fs/cgroup 64/bin/go GOSUMDB GOWORK 64/bin/go go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 63859617/.github/workflows GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha 3782396/b414/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/time-V=full GOMODCACHE go env Q-eU/ZpLY0UQ8eaBGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 3782396/b414/impconfig (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 3782396/b415/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env NWtF/YoGLJu3IdYp-p GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 3782396/b415/imp-dwarf=false (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 3782396/b384/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c TXHo/i1FRN9ITrU2-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go 3782396/b384/impconfig (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --c-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sed (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha 3782396/b420/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE /bin/sh -c P9w0/sb-vlTraXiuGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go 3782396/b420/importcfg (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD erignore ache/go/1.25.0/xGO111MODULE env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD erignore ache/go/1.25.0/xGO111MODULE env 3782396/b387/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE bracelet/x/exp/g--norc GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build3598705600/b383/cli.test /tmp/go-build3598705600/b383/cli.test -test.testlogfile=/tmp/go-build3598705600/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE erignore env ck &#39;scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ck &#39;**/*.cjs&#39; &#39;*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan marked this pull request as ready for review March 7, 2026 13:44
Copilot AI review requested due to automatic review settings March 7, 2026 13:44
@pelikhan
Copy link
Contributor

pelikhan commented Mar 7, 2026

@copilot add documentation. Use the technical-doc-writer agent.

@pelikhan pelikhan added the smoke label Mar 7, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2026

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2026
edited
Loading

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2026
edited
Loading

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2026
edited
Loading

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

@pelikhan
docs: document strict mode requirement for public repositories
f14499a 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Mar 7, 2026

@copilot add documentation. Use the technical-doc-writer agent.

Done in f14499a. Three surgical documentation edits:

  • lockdown-mode.md: added [!IMPORTANT] callout at the top noting that public repository workflows must be compiled with strict mode.
  • frontmatter.md: added [!IMPORTANT] callout in the strict: section noting that strict: false workflows cannot run on public repositories.
  • errors.md: added a new ### Public Repository Requires Strict Mode entry with the runtime error message and resolution steps.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2026

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.53.0
jq 1.7
yq v4.52.4
curl 8.5.0
gh 2.87.3
node v20.20.0
python3 3.12.3
go 1.24.13
java 10.0.102
dotnet 10.0.102

Result: 12/12 tools available ✅ — PASS

🔧 Tool validation by Agent Container Smoke Test ·

Copilot AI reviewed Mar 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the runtime lockdown validation to enforce strict: true for workflows running on public repositories, and propagates “compiled strictness” through lock metadata and workflow env for validation.

Changes:

  • Add Compiler.effectiveStrictMode() and refactor orchestrator strict-mode resolution to use it.
  • Bump lock metadata to schema v2 and include a strictness signal (strict in metadata when true; GH_AW_COMPILED_STRICT env always).
  • Extend lockdown validation script + tests to enforce strict mode for public repos, and update golden/lock workflow artifacts accordingly.

Reviewed changes

Copilot reviewed 179 out of 179 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
pkg/workflow/compiler_yaml.go Adds effectiveStrictMode(), emits strictness into lock metadata and GH_AW_COMPILED_STRICT env
pkg/workflow/compiler_orchestrator_engine.go Replaces duplicated strict-mode resolution logic with effectiveStrictMode()
pkg/workflow/compiler_yaml_strict_mode_test.go Adds unit tests for strict-mode resolution precedence and edge cases
pkg/workflow/lock_schema.go Introduces lock schema v2 and strict field in metadata; updates generator signature
pkg/workflow/lock_schema_test.go Updates schema support expectations and adds strict-specific metadata tests
actions/setup/js/validate_lockdown_requirements.cjs Adds strict-mode enforcement for public repositories
actions/setup/js/validate_lockdown_requirements.test.cjs Adds test coverage for strict-mode enforcement scenarios
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden Updates golden output to include GH_AW_COMPILED_STRICT
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden Updates golden output to include GH_AW_COMPILED_STRICT
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden Updates golden output to include GH_AW_COMPILED_STRICT
.github/workflows/ace-editor.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/agent-performance-analyzer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/agent-persona-explorer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/ai-moderator.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/archie.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/artifacts-summary.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/audit-workflows.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/auto-triage-issues.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/blog-auditor.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/bot-detection.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/brave.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/breaking-change-checker.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/changeset.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/chroma-issue-indexer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/ci-coach.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/ci-doctor.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/claude-code-user-docs-review.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/cli-consistency-checker.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/cli-version-checker.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/cloclo.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/code-scanning-fixer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/code-simplifier.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/codex-github-remote-mcp-test.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/commit-changes-analyzer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/constraint-solving-potd.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/contribution-check.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/copilot-agent-analysis.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/copilot-cli-deep-research.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/copilot-pr-merged-report.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/copilot-pr-nlp-analysis.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/copilot-pr-prompt-analysis.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/copilot-session-insights.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/craft.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-architecture-diagram.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-assign-issue-to-user.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-choice-test.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-cli-performance.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-cli-tools-tester.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-code-metrics.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-compiler-quality.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-copilot-token-report.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-doc-healer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-doc-updater.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-fact.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-file-diet.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-firewall-report.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-issues-report.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-malicious-code-scan.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-mcp-concurrency-analysis.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-multi-device-docs-tester.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-news.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-observability-report.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-performance-summary.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-regulatory.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-rendering-scripts-verifier.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-repo-chronicle.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-safe-output-optimizer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-safe-outputs-conformance.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-security-red-team.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-secrets-analysis.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-semgrep-scan.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-syntax-error-quality.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-team-evolution-insights.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-team-status.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-testify-uber-super-expert.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/daily-workflow-updater.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/dead-code-remover.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/deep-report.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/delight.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/dependabot-burner.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/dependabot-go-checker.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/dev-hawk.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/dev.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/developer-docs-consolidator.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/dictation-prompt.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/discussion-task-miner.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/docs-noob-tester.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/draft-pr-cleanup.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/duplicate-code-detector.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/example-permissions-warning.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/example-workflow-analyzer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/firewall-escape.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/firewall.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/functional-pragmatist.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/github-mcp-structural-analysis.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/github-mcp-tools-report.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/github-remote-mcp-auth-test.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/glossary-maintainer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/go-fan.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/go-logger.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/go-pattern-detector.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/gpclean.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/grumpy-reviewer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/hourly-ci-cleaner.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/instructions-janitor.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/issue-arborist.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/issue-monster.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/issue-triage-agent.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/jsweep.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/layout-spec-maintainer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/lockfile-stats.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/mcp-inspector.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/mergefest.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/metrics-collector.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/notion-issue-summary.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/org-health-report.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/pdf-summary.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/plan.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/poem-bot.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/portfolio-analyst.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/pr-nitpick-reviewer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/pr-triage-agent.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/prompt-clustering-analysis.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/python-data-charts.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/q.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/refiner.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/release.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/repo-audit-analyzer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/repo-tree-map.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/repository-quality-improver.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/research.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/safe-output-health.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/schema-consistency-checker.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/scout.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/security-alert-burndown.campaign.g.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/security-compliance.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/security-review.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/semantic-function-refactor.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/sergo.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/slide-deck-maintainer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-agent.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-claude.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-codex.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-copilot-arm.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-copilot.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-create-cross-repo-pr.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-gemini.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-multi-pr.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-project.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-temporary-id.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-test-tools.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-update-cross-repo-pr.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/smoke-workflow-call.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/stale-repo-identifier.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/static-analysis-report.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/step-name-alignment.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/sub-issue-closer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/super-linter.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/technical-doc-writer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/terminal-stylist.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/test-create-pr-error-handling.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/test-dispatcher.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/test-project-url-default.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/test-workflow.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/tidy.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/typist.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/ubuntu-image-analyzer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/unbloat-docs.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/video-analyzer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/weekly-editors-health-check.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/weekly-issue-summary.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/workflow-generator.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/workflow-health-manager.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/workflow-normalizer.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT
.github/workflows/workflow-skill-extractor.lock.yml Regenerates lock workflow with v2 metadata and GH_AW_COMPILED_STRICT

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

actions/setup/js/validate_lockdown_requirements.cjs
Comment on lines +76 to +84
"This workflow is running on a public repository but was not compiled with strict mode.\\n" +
"\\n" +
"Please configure one of the following as a repository secret:\\n" +
" - GH_AW_GITHUB_TOKEN (recommended)\\n" +
" - GH_AW_GITHUB_MCP_SERVER_TOKEN (alternative)\\n" +
" - Custom github-token in your workflow frontmatter\\n" +
"Public repository workflows must be compiled with strict mode enabled to meet\\n" +
"the security requirements for public exposure.\\n" +
"\\n" +
"See: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/auth.mdx\\n" +
"To fix this, recompile the workflow with strict mode:\\n" +
" gh aw compile --strict\\n" +
"\\n" +
"To set a token:\\n" +
' gh aw secrets set GH_AW_GITHUB_TOKEN --value "YOUR_FINE_GRAINED_PAT"';
"See: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/security.mdx";
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The strict-mode failure guidance only mentions recompiling with gh aw compile --strict, but GH_AW_COMPILED_STRICT is derived from effective strictness (frontmatter strict: true or CLI flag). To avoid misleading users, the error message should also mention enabling strict: true in frontmatter (and then recompiling) as an alternative fix.

Copilot uses AI. Check for mistakes.
@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2026

Commit pushed: 7d67c02

Generated by Changeset Generator

@github-actions github-actions bot mentioned this pull request Mar 7, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2026

Smoke Test Results — Run §22800226809

Test Status
GitHub MCP
Safe Inputs GH CLI
Serena MCP
Playwright
Web Fetch
File Writing
Bash Tool
Discussion
Build
PR Review

Overall: ⚠️ PARTIAL PASS — Serena MCP tools unavailable.

PR author: @Copilot | Assignees: @pelikhan @Copilot

📰 BREAKING: Report filed by Smoke Copilot ·

github-actions[bot]
github-actions bot reviewed Mar 7, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR adds effectiveStrictMode() helper and LockSchemaV2 to track strict mode in lock file metadata — clean, well-structured change. Left two minor notes: one on the tri-state limitation of the CLI bool flag, and one suggesting a CurrentLockSchemaVersion alias for future-proofing.

📰 BREAKING: Report filed by Smoke Copilot

pkg/workflow/compiler_yaml.go
if c.strictMode {
// CLI flag takes precedence
return true
}
Copy link
Contributor

@github-actions github-actions bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The effectiveStrictMode function only returns true when c.strictMode is set via the CLI flag, but has no way to express "CLI explicitly disabled strict mode". If a --no-strict CLI flag is ever added, this logic would need to change from a bool to a *bool (or tri-state enum) to distinguish "CLI forced true", "CLI forced false", and "CLI not set". Worth a TODO comment to document this limitation.

pkg/workflow/lock_schema.go
// LockSchemaV1 is the legacy lock file schema version (no strict field)
LockSchemaV1 LockSchemaVersion = "v1"
// LockSchemaV2 is the current lock file schema version (adds strict field)
LockSchemaV2 LockSchemaVersion = "v2"
Copy link
Contributor

@github-actions github-actions bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding a CurrentLockSchemaVersion = LockSchemaV2 alias so callers don't need to be updated each time a new schema version is introduced. This would make the GenerateLockMetadata function (and other callers) more future-proof and easier to update.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2026

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@pelikhan pelikhan merged commit e211c85 into main Mar 7, 2026
51 checks passed
@pelikhan pelikhan deleted the copilot/update-lockdown-validation-script branch March 7, 2026 13:56
@github-actions github-actions bot mentioned this pull request Mar 7, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Mar 7, 2026

Smoke Test Results — Run §22800226769

Core (#1–10): ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
PR Review (#11–17): ✅ ✅ ✅ ✅ ✅ ✅ ⚠️

Overall: PARTIAL (test #17 skipped — no safe PR to close)

💥 [THE END] — Illustrated by Smoke Claude ·

github-actions[bot]
github-actions bot reviewed Mar 7, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude

@github-actions github-actions bot mentioned this pull request Mar 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Copilot code review Copilot Copilot left review comments

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

smoke-claude smoke-copilot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pelikhan @bot