Add detection job skip condition based on safe outputs and patches by Copilot · Pull Request #3689 · github/gh-aw

Copilot · 2025-11-12T06:03:52Z

The detection job runs unconditionally after the agent job, wasting CI resources when there's nothing to scan (no safe outputs and no patch).

Changes

JavaScript (`collect_ndjson_output.cjs`)

Check for /tmp/gh-aw/aw.patch existence and set has_patch output

Go Compiler (`compiler_jobs.go`)

Export has_patch output from agent job alongside existing output and output_types

Detection Job (`threat_detection.go`)

Add conditional: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true'
Job skips when both no safe outputs generated AND no patch exists

Tests

Add TestDetectionJobSkipCondition to verify conditional logic
Update existing tests for new output field

Example

Generated workflow now includes:

agent:
  outputs:
    has_patch: ${{ steps.collect_output.outputs.has_patch }}
    output: ${{ steps.collect_output.outputs.output }}
    output_types: ${{ steps.collect_output.outputs.output_types }}

detection:
  needs: agent
  if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true'
  runs-on: ubuntu-latest

Detection job now skips when there's nothing to analyze, reducing unnecessary workflow executions.

Original prompt

The "detection" job should be skipped if there is no safe output and/or no patches to scan. Expose/compute a job output in the "agent" job that determines if detection is required to use in the "if" statement.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot

Pull Request Overview

This PR optimizes CI resource usage by adding conditional logic to skip the threat detection job when there's nothing to scan (no safe outputs and no patches). The implementation adds a new has_patch output from the agent job and uses it along with existing output_types to determine whether the detection job should run.

Key changes:

Added patch detection logic in JavaScript that checks for /tmp/gh-aw/aw.patch existence
Exposed has_patch as a new job output alongside output and output_types
Added conditional expression to detection job using OR logic: skip when both no safe outputs AND no patch

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
`pkg/workflow/js/collect_ndjson_output.cjs`	Added patch file existence check and set `has_patch` output
`pkg/workflow/compiler_jobs.go`	Added `has_patch` to job outputs map
`pkg/workflow/threat_detection.go`	Implemented conditional logic using `BuildDisjunction` to skip detection job when not needed
`pkg/workflow/threat_detection_test.go`	Added comprehensive test verifying the new skip condition
`pkg/workflow/agentic_output_test.go`	Updated existing tests to verify `has_patch` output is declared
`.github/workflows/dev.lock.yml`	Generated workflow reflecting the new output and conditional
`.github/workflows/changeset.lock.yml`	Generated workflow reflecting the new output and conditional
`.github/workflows/technical-doc-writer.lock.yml`	Unrelated change: simplified agent path reference

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2025-11-12T06:38:21Z

.github/workflows/technical-doc-writer.lock.yml

          set -o pipefail
          sudo -E awf --env-all --allow-domains '*.githubusercontent.com,api.enterprise.githubcopilot.com,api.github.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,codeload.github.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,lfs.github.com,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com' --log-level info \
-            "npx -y @github/copilot@0.0.354 --add-dir /tmp/gh-aw/ --log-level all --disable-builtin-mcps --agent \"\${GITHUB_WORKSPACE}/.github/agents/technical-doc-writer.md\" --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --prompt \"\$(cat /tmp/gh-aw/aw-prompts/prompt.txt)\"" \
+            "npx -y @github/copilot@0.0.354 --add-dir /tmp/gh-aw/ --log-level all --disable-builtin-mcps --agent technical-doc-writer --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --prompt \"\$(cat /tmp/gh-aw/aw-prompts/prompt.txt)\"" \


This change appears unrelated to the PR's stated purpose of adding detection job skip conditions. The change from --agent \"\${GITHUB_WORKSPACE}/.github/agents/technical-doc-writer.md\" to --agent technical-doc-writer modifies how the agent path is specified but has no connection to patch detection or safe outputs. Consider moving this to a separate PR focused on agent path handling.

Suggested change

"npx -y @github/copilot@0.0.354 --add-dir /tmp/gh-aw/ --log-level all --disable-builtin-mcps --agent technical-doc-writer --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --prompt \"\$(cat /tmp/gh-aw/aw-prompts/prompt.txt)\"" \

"npx -y @github/copilot@0.0.354 --add-dir /tmp/gh-aw/ --log-level all --disable-builtin-mcps --agent \"${GITHUB_WORKSPACE}/.github/agents/technical-doc-writer.md\" --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --prompt \"\$(cat /tmp/gh-aw/aw-prompts/prompt.txt)\"" \

Initial plan

6480967

Copilot AI assigned Copilot and pelikhan Nov 12, 2025

Copilot started work on behalf of pelikhan November 12, 2025 06:04 View session

Copilot AI and others added 4 commits November 12, 2025 06:14

Initial exploration complete

43c90f9

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Add detection job skip condition based on safe outputs and patches

9284b84

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Format code

2337742

Format code and verify implementation

8272951

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add job output to determine detection requirements~~ Add detection job skip condition based on safe outputs and patches Nov 12, 2025

Copilot AI requested a review from pelikhan November 12, 2025 06:28

Copilot finished work on behalf of pelikhan November 12, 2025 06:28

pelikhan approved these changes Nov 12, 2025

View reviewed changes

pelikhan marked this pull request as ready for review November 12, 2025 06:36

Copilot AI review requested due to automatic review settings November 12, 2025 06:36

Copilot started reviewing on behalf of pelikhan November 12, 2025 06:36 View session

Copilot finished reviewing on behalf of pelikhan November 12, 2025 06:37

Copilot AI reviewed Nov 12, 2025

View reviewed changes

pelikhan merged commit c46f7c1 into main Nov 12, 2025
77 of 81 checks passed

pelikhan deleted the copilot/add-output-for-detection-job branch November 12, 2025 06:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add detection job skip condition based on safe outputs and patches#3689

Add detection job skip condition based on safe outputs and patches#3689
pelikhan merged 5 commits intomainfrom
copilot/add-output-for-detection-job

Copilot AI commented Nov 12, 2025 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Nov 12, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

	"npx -y @github/copilot@0.0.354 --add-dir /tmp/gh-aw/ --log-level all --disable-builtin-mcps --agent technical-doc-writer --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --prompt \"\$(cat /tmp/gh-aw/aw-prompts/prompt.txt)\"" \
	"npx -y @github/copilot@0.0.354 --add-dir /tmp/gh-aw/ --log-level all --disable-builtin-mcps --agent \"${GITHUB_WORKSPACE}/.github/agents/technical-doc-writer.md\" --allow-tool github --allow-tool safeoutputs --allow-tool shell --allow-tool write --add-dir /tmp/gh-aw/cache-memory/ --allow-all-paths --prompt \"\$(cat /tmp/gh-aw/aw-prompts/prompt.txt)\"" \

Conversation

Copilot AI commented Nov 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

JavaScript (collect_ndjson_output.cjs)

Go Compiler (compiler_jobs.go)

Detection Job (threat_detection.go)

Tests

Example

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Copilot AI Nov 12, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Nov 12, 2025 •

edited

Loading

JavaScript (`collect_ndjson_output.cjs`)

Go Compiler (`compiler_jobs.go`)

Detection Job (`threat_detection.go`)