Skip to content

fix: guard activation .github checkout against cross-repo GITHUB_TOKEN failure on workflow_call#26336

Merged
pelikhan merged 5 commits intomainfrom
copilot/fix-workflow-call-fetch-error
Apr 15, 2026
Merged

fix: guard activation .github checkout against cross-repo GITHUB_TOKEN failure on workflow_call#26336
pelikhan merged 5 commits intomainfrom
copilot/fix-workflow-call-fetch-error

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 15, 2026
edited
Loading

When a workflow_call triggers a workflow in a private callee repo (e.g., org/tvOS-Apporg/.github), the activation job's .github sparse checkout fails with Repository not found because GITHUB_TOKEN is always scoped to the calling repository and cannot read a private callee repo. This regression was introduced when the .github checkout was moved into the activation job.

Fix

When no custom activation token is configured (i.e., only GITHUB_TOKEN is available), inject an if: guard on the checkout step that restricts it to same-repo invocations:

- name: Checkout .github and .agents folders
  if: steps.resolve-host-repo.outputs.target_repo == github.repository  # ← added
  uses: actions/checkout@...
  with:
    repository: ${{ steps.resolve-host-repo.outputs.target_repo }}
    ref: ${{ steps.resolve-host-repo.outputs.target_ref }}
    ...
  • Same-repo workflow_call: condition is true, checkout runs normally
  • Cross-repo workflow_call (no custom token): condition is false, checkout is skipped — restoring pre-regression behavior
  • Cross-repo with custom token (activation-github-token / activation-github-app): guard is not emitted; checkout always runs

Changes

  • compiler_activation_job.go: after generating the cross-repo checkout for workflow_call, injects the same-repo if: condition when activationToken == "${{ secrets.GITHUB_TOKEN }}". Adds addSameRepoIfConditionToSteps and injectIfConditionAfterName helpers.
  • compiler_activation_job_test.go: extends TestGenerateCheckoutGitHubFolderForActivation_WorkflowCall to assert the guard is present for default-token cases; adds TestCheckoutSameRepoGuardWithCustomToken to assert the guard is absent when a custom token is provided.
  • Lock files: two smoke-test workflow_call .lock.yml files recompiled to include the guard.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ota=5% yHigh=170M (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw description,relerev-parse (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name wDYF/t6TAHnP-CXQGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 025828/b378/impoGO111MODULE -c k/gh-aw/gh-aw/cmGOINSECURE k/gh-aw/gh-aw/cmGOMOD 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-test.v=true (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel go /usr/bin/infocmp matter-with-nestgit GO111MODULE 64/bin/go infocmp -1 xterm-color go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git-receive-packrev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_repos=public_1688906587/001 remote /usr/bin/git hyphen191884535/git hyphen191884535/rev-parse 64/bin/go git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /opt/hostedtoolcache/node/24.14.1/x64/bin/node "prettier" --chegit node 64/bin/go node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --get-regexp --global e/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 1/001/test-frontmatter-with-env-template-expressions.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git b/workflows l_test.go x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git g_.a GO111MODULE x_amd64/compile git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x/tmp/gh-aw/aw-master.patch git rev-�� --show-toplevel go /usr/bin/git 2/001/noflag-a.mgit GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel n-continued" (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env EZ15/vgfccLXAQNrGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 025828/b421/impoGO111MODULE (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha "prettier" --cheGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -V=f�� on.lock.yml npx 64/bin/go --write ../../../**/*.js--git-dir=/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitbranch_with_hyphen191884535/001 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha k/gh-aw/gh-aw/pkGOINSECURE k/gh-aw/gh-aw/pkGOMOD 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolctest@example.com -o /tmp/go-build143GOSUMDB -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha GOMODCACHE go /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE tartedAt,updated--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/lib/git-core/git --show-toplevel go /usr/bin/git /usr/lib/git-core/git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha add remote2 /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/gh git rev-�� --show-toplevel gh /usr/lib/git-core/git-remote-https /repos/actions/ugit --jq /usr/bin/git /usr/lib/git-core/git-remote-https (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -aw/git/ref/tags/v3.0.0 -buildtags /usr/bin/gh -errorsas -ifaceassert -nilfunc gh api ErrorFormatting3954141364/001 --jq /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu--limit 2zkT/sEFWgJycz_cgit GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel x_amd64/link /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha get --local ptables user.name (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha get --local ndor/bin/bash committer.name (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha get --local /usr/local/bin/git committer.name (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --local user.email x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha .0.0-20260413095-errorsas user.email x_amd64/compile (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha /\1/p (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha )$/\1/p (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha GOMODCACHE go /usr/bin/git -json om/owner/repo.girev-parse lone-4244140083 git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/local/sbin/iptables --show-toplevel go /usr/bin/git iptables (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha sistency_GoAndJavaScript893359811/001/test-frontmatter-with-nest-test.timeout=10m0s -importcfg /usr/bin/git -s -w -buildmode=exe git rev-�� --show-toplevel -extld=gcc /usr/bin/git 4176646631/001' 4176646631/001' 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/gh git rev-�� --show-toplevel gh 64/bin/bash /repos/actions/cgit --jq /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha sistency_GoAndJavaScript893359811/001/test-frontmatter-with-nested-objects.md GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git rev-�� --show-toplevel go /usr/bin/git GVrl/rJwi99lJarsgit GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1682568508 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 86_64/bash GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env til.go o 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json go ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1694500789/.github/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1682568508 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3417780440/.github/workflows GO111MODULE k GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3417780440/.github/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1682568508 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3417780440 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build1316786593/b411/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go -c 025828/b389/embeGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 format:pkg-json 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env rity702183490/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build1316786593/b397/cli.test /tmp/go-build1316786593/b397/cli.test -test.testlogfile=/tmp/go-build1316786593/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE b/gh-aw/pkg/consenv GOMODCACHE go env RraB/O98nZVqJHnDGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 025828/b394/impoGO111MODULE (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git aw.test GO111MODULE ortcfg.link git rev-�� --show-toplevel RwNG072YxkEc3PIoey/X2lamLNGwUyQxremote /usr/bin/git -json GO111MODULE g_.a git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git --show-toplevel ps /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha edOutput3329625152/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE k GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel 1/x64/bin/node /usr/bin/git se 6786593/b111/vetrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git GOMODCACHE node /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --porcelain sh 64/bin/go -d ache/go/1.25.8/xmaintenance 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha on.lock.yml npx 64/bin/go --write ../../../**/*.js--git-dir=/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitbranch_w�� 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha /tmp/go-build143-p -trimpath 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha /tmp/go-build143-p -trimpath 64/bin/go -p github.com/githu-1 -lang=go1.25 go env Gitmain_branch81352549/001' Gitmain_branch81352549/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha /tmp/go-build143-errorsas -trimpath 64/bin/go -p github.com/githuapi -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha lder\|github.*folder\|\.github.*-errorsas k/gh-aw/gh-aw/pkg/workflow/compi-ifaceassert x_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha rity702183490/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel 1/x64/bin/node /usr/bin/git /tmp/gh-aw-test-git rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --get remote.origin.urrev-parse ache/node/24.14.--show-toplevel git (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE 025828/b379/impoGO111MODULE -c che/go-build/52/GOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcGOPROXY (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE 025828/b399/impoGO111MODULE -c che/go-build/51/GOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state /usr/bin/git origin develop om/testorg/testr--show-toplevel git rev-�� --show-toplevel git /usr/bin/git /tmp/TestGuardPogit config /usr/bin/git git (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build1316786593/b397/cli.test /tmp/go-build1316786593/b397/cli.test -test.testlogfile=/tmp/go-build1316786593/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE b/gh-aw/pkg/consenv GOMODCACHE go env RraB/O98nZVqJHnDGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 025828/b394/impoGO111MODULE (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name 2zkT/sEFWgJycz_cGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 025828/b387/impoGO111MODULE -c 025828/b387/embeGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-test.v=true (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git list --json /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /home/REDACTED/worrev-parse 6786593/b448/vet--show-toplevel git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 15, 2026 that may be closed by this pull request
bug: Workflow call failing to fetch .github repository (Exit Code 128) #26289
Closed
Copilot AI and others added 2 commits April 15, 2026 00:46
@pelikhan
fix: add same-repo guard to activation .github checkout for workflow_…
4a5c500 
…call without custom token

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/2f42f475-94be-4b19-b33c-f9ff4dbd19f2

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: address code review - add indentation comment and warning log to…
ed653b0 
… injectIfConditionAfterName

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/2f42f475-94be-4b19-b33c-f9ff4dbd19f2

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix workflow call failing to fetch .github repository fix: guard activation .github checkout against cross-repo GITHUB_TOKEN failure on workflow_call Apr 15, 2026
Copilot AI requested a review from pelikhan April 15, 2026 00:52
@pelikhan pelikhan marked this pull request as ready for review April 15, 2026 01:25
Copilot AI review requested due to automatic review settings April 15, 2026 01:25
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 15, 2026

Hey @Copilot 👋 — great fix for the cross-repo GITHUB_TOKEN scoping issue on workflow_call! Guarding the .github sparse checkout with steps.resolve-host-repo.outputs.target_repo == github.repository is a clean, targeted solution that avoids breaking same-repo callers while safely degrading for cross-repo scenarios where a custom token isn't configured.

The PR is well-structured, thoroughly tested, and the description clearly explains the root cause and the escape hatch (configuring activation-github-token or activation-github-app). This looks ready for maintainer review. 🚀

Generated by Contribution Check · ● 2M ·

@github-actions github-actions bot mentioned this pull request Apr 15, 2026
Closed
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a regression where the activation job’s sparse checkout of the callee repo’s .github folder fails on cross-repo workflow_call when only the default GITHUB_TOKEN is available (token is scoped to the caller repo).

Changes:

  • Adds a same-repo if: guard to the activation .github checkout step for workflow_call when using the default GITHUB_TOKEN.
  • Adds helper functions to inject the if: condition into the generated checkout step YAML.
  • Expands unit tests and updates smoke-test compiled lock workflows to include the guard.
Show a summary per file
File Description
pkg/workflow/compiler_activation_job.go Injects a same-repo if: guard into activation checkout steps for workflow_call when using default GITHUB_TOKEN.
pkg/workflow/compiler_activation_job_test.go Adds assertions/tests covering presence/absence of the same-repo checkout guard depending on token configuration.
.github/workflows/smoke-workflow-call.lock.yml Recompiled lock workflow includes the guarded checkout step.
.github/workflows/smoke-workflow-call-with-inputs.lock.yml Recompiled lock workflow includes the guarded checkout step.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 2

Comment thread pkg/workflow/compiler_activation_job.go Outdated
Comment on lines +740 to +754
// injectIfConditionAfterName inserts an "if:" field immediately after the first line
// (the "- name:" line) of a YAML step string. Returns the step unchanged if the
// insertion point cannot be found.
//
// The 8-space prefix matches the YAML indentation used throughout the step generator:
// steps are nested 6 spaces deep (" - name:") and step fields are at 8 spaces
// (" uses:", " with:", etc.). This is consistent with all other
// step fields emitted by GenerateGitHubFolderCheckoutStep.
func injectIfConditionAfterName(step, condition string) string {
idx := strings.Index(step, "\n")
if idx < 0 {
compilerActivationJobLog.Printf("Warning: could not inject if-condition %q — step has no newline: %q", condition, step)
return step
}
return step[:idx+1] + " if: " + condition + "\n" + step[idx+1:]
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addSameRepoIfConditionToSteps/injectIfConditionAfterName post-processes YAML via string splicing with a hard-coded indent and assumes the first newline is after the "- name:" line. This works with the current GenerateGitHubFolderCheckoutStep output, but it’s brittle if the step formatting/indentation changes. Consider emitting the if: directly from the checkout step generator (e.g., add an optional condition parameter to GenerateGitHubFolderCheckoutStep, similar to generateInlineGitHubScriptStep in pkg/workflow/compiler_github_actions_steps.go:45-48) to avoid format-coupled string surgery.

Suggested change
// injectIfConditionAfterName inserts an "if:" field immediately after the first line
// (the "- name:" line) of a YAML step string. Returns the step unchanged if the
// insertion point cannot be found.
//
// The 8-space prefix matches the YAML indentation used throughout the step generator:
// steps are nested 6 spaces deep (" - name:") and step fields are at 8 spaces
// (" uses:", " with:", etc.). This is consistent with all other
// step fields emitted by GenerateGitHubFolderCheckoutStep.
func injectIfConditionAfterName(step, condition string) string {
idx := strings.Index(step, "\n")
if idx < 0 {
compilerActivationJobLog.Printf("Warning: could not inject if-condition %q — step has no newline: %q", condition, step)
return step
}
return step[:idx+1] + " if: " + condition + "\n" + step[idx+1:]
// injectIfConditionAfterName inserts an "if:" field immediately after the "- name:"
// line of a YAML step string. Returns the step unchanged if a "- name:" line cannot
// be found. The field indentation is derived from the step's existing content rather
// than hard-coded so this remains stable if the step formatter changes indentation.
func injectIfConditionAfterName(step, condition string) string {
lines := strings.Split(step, "\n")
nameLineIdx := -1
for i, line := range lines {
trimmed := strings.TrimSpace(line)
if strings.HasPrefix(trimmed, "- name:") {
nameLineIdx = i
break
}
}
if nameLineIdx < 0 {
compilerActivationJobLog.Printf("Warning: could not inject if-condition %q — step has no '- name:' line: %q", condition, step)
return step
}
for i := nameLineIdx + 1; i < len(lines); i++ {
trimmed := strings.TrimSpace(lines[i])
if strings.HasPrefix(trimmed, "if:") {
return step
}
}
fieldIndent := ""
for i := nameLineIdx + 1; i < len(lines); i++ {
line := lines[i]
trimmed := strings.TrimSpace(line)
if trimmed == "" {
continue
}
fieldIndent = line[:len(line)-len(strings.TrimLeft(line, " "))]
break
}
if fieldIndent == "" {
nameLine := lines[nameLineIdx]
nameIndent := nameLine[:len(nameLine)-len(strings.TrimLeft(nameLine, " "))]
fieldIndent = nameIndent + " "
}
newLines := make([]string, 0, len(lines)+1)
newLines = append(newLines, lines[:nameLineIdx+1]...)
newLines = append(newLines, fieldIndent+"if: "+condition)
newLines = append(newLines, lines[nameLineIdx+1:]...)
return strings.Join(newLines, "\n")

Copilot uses AI. Check for mistakes.
Comment thread pkg/workflow/compiler_activation_job.go Outdated
Comment on lines +740 to +747
// injectIfConditionAfterName inserts an "if:" field immediately after the first line
// (the "- name:" line) of a YAML step string. Returns the step unchanged if the
// insertion point cannot be found.
//
// The 8-space prefix matches the YAML indentation used throughout the step generator:
// steps are nested 6 spaces deep (" - name:") and step fields are at 8 spaces
// (" uses:", " with:", etc.). This is consistent with all other
// step fields emitted by GenerateGitHubFolderCheckoutStep.
Copy link

Copilot AI Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment for injectIfConditionAfterName says it inserts after the "- name:" line, but the implementation inserts after the first newline without verifying that the first line is actually a name field. Either update the comment to match the behavior ("after the first line") or make the function explicitly locate the "- name:" line before inserting, to avoid surprising behavior if the step format changes.

Copilot uses AI. Check for mistakes.
@github-actions @claude
docs(adr): add draft ADR-26336 for same-repo guard on workflow_call c…
816af89 
…heckout

Generated by Design Decision Gate workflow run 24431549578.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 15, 2026

Commit pushed: 44c05d9

🏗️ ADR gate enforced by Design Decision Gate 🏗️

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 15, 2026

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (157 new lines in pkg/) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/26336-same-repo-guard-for-workflow-call-checkout.md

The draft captures the key design decision: compile-time injection of a same-repo if: guard onto .github checkout steps when only GITHUB_TOKEN is available, as an alternative to raising errors, adding opt-in config fields, or runtime token-scope probing.

What to do next

  1. Review the draft ADR committed to your branch — it was generated from the PR diff
  2. Complete the missing sections — add context the AI couldn't infer, refine the decision rationale, and verify the alternatives reflect what was actually considered
  3. Commit the finalized ADR to docs/adr/ on your branch
  4. Reference the ADR in this PR body by adding a line such as:

    ADR: ADR-26336: Same-Repo Guard for workflow_call Checkout with Default GITHUB_TOKEN

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

  • Context — What is the problem? What forces are at play?
  • Decision — What did you decide? Why?
  • Alternatives Considered — What else could have been done?
  • Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 26336-same-repo-guard-for-workflow-call-checkout.md for PR #26336).

🔒 This PR cannot merge until an ADR is linked in the PR body.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 132.7K ·

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 15, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

Excellent test quality

Metric Value
New/modified tests analyzed 2
✅ Design tests (behavioral contracts) 2 (100%)
⚠️ Implementation tests (low value) 0 (0%)
Tests with error/edge cases 2 (100%)
Duplicate test clusters 0
Test inflation detected ⚠️ Yes (ratio ~2.83×, see note)
🚨 Coding-guideline violations None

Test Classification Details

Test File Classification Notes
TestGenerateCheckoutGitHubFolderForActivation_WorkflowCall pkg/workflow/compiler_activation_job_test.go ✅ Design Table-driven; adds wantSameRepoCondition field + positive/negative assertions across all trigger variants
TestCheckoutSameRepoGuardWithCustomToken pkg/workflow/compiler_activation_job_test.go ✅ Design New test; directly enforces the fix's core invariant — custom token suppresses guard, default token enables it

Test Analysis Details

TestGenerateCheckoutGitHubFolderForActivation_WorkflowCall (modified)

Design invariant: The .github checkout step in a workflow_call-triggered workflow must include an if: steps.resolve-host-repo.outputs.target_repo == github.repository guard when no custom activation token is configured — and must not include it for non-workflow_call triggers or when inlinedImports is active.

Value if deleted: A regression would allow the checkout step to run unconditionally in cross-repo workflow_call scenarios, failing with a GITHUB_TOKEN permission error. The test directly validates the compiler's YAML output, so a deleted test would allow silent regression in that output.

Contract vs. implementation: Design test — asserts on the compiler's externally-observable YAML output, not on internal function call counts or data structure layout.

The updated table rows (6 scenarios) cleanly cover: same-repo workflow_call (×2), workflow_call+inlined-imports, issues trigger, issue_comment trigger, and action-tag with workflow_call. All added assertions carry descriptive messages. ✅

TestCheckoutSameRepoGuardWithCustomToken (new)

Design invariant: Providing a custom activation token (e.g. $\{\{ secrets.CROSS_ORG_TOKEN }}) must suppress the same-repo guard, allowing cross-repo checkouts to proceed for callers that have configured their own token.

Value if deleted: Would allow a regression where a custom token is configured but the guard is still injected — unnecessarily blocking cross-repo callers who set up proper tokens, or the inverse (guard omitted when it's still needed for default-token scenarios).

Contract vs. implementation: Design test — asserts end-to-end on the generated YAML step string using assert.Contains/assert.NotContains on the final string, not on any internal function call. The three table rows cover the three meaningful branches. ✅

⚠️ Test Inflation Note

The test file added 116 lines against 41 lines in the production file (ratio ≈ 2.83×), triggering the inflation threshold (> 2×). However, this is contextually justified:

  • The existing test function required structural changes across all table rows (adding the new wantSameRepoCondition field and aligning column widths).
  • A new dedicated TestCheckoutSameRepoGuardWithCustomToken function was added with its own table.

The extra lines represent genuine coverage, not copy-paste padding. The 10-point penalty is applied per the formula, but no action is required.

Language Support

Tests analyzed:

  • 🐹 Go (*_test.go): 2 tests — unit (//go:build !integration) ✅ Build tag present
  • 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests (no JS test changes in this PR)

Verdict

Check passed. 0% of new tests are implementation tests (threshold: 30%). Both tests enforce meaningful behavioral contracts and cover both the positive and negative code paths of the fix.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

  • Assert on observable outputs, return values, or state changes
  • Cover error paths and boundary conditions
  • Would catch a behavioral regression if deleted
  • Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

  • Assert on internal function calls (mocking internals)
  • Only test the happy path with typical inputs
  • Break during legitimate refactoring even when behavior is correct
  • Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

🧪 Test quality analysis by Test Quality Sentinel · ● 672.1K ·

github-actions[bot]
github-actions bot approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). Both new/modified tests enforce behavioral contracts and cover positive and negative code paths of the fix.

@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 15, 2026

@copilot review all comments

@pelikhan
fix: make injectIfConditionAfterName robust - derive indent, locate n…
d1a4d48 
…ame line, idempotent

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b576c376-08d3-4ebd-bc1e-edc33b865e9c

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 15, 2026
edited
Loading

@copilot review all comments

Addressed both review comments in d1a4d48:

  • injectIfConditionAfterName now explicitly locates the - name: line (rather than splitting on the first newline), derives the field indentation from the step's existing content (no more hardcoded 8 spaces), and is idempotent (skips injection if if: is already present). Falls back with a warning log when no - name: line is found.
  • Added TestInjectIfConditionAfterName covering indent inference, idempotency, and the missing-name-line fallback.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw go-udiff@v0.4.1/rev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git _.a (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --write **/*.cjs /home/REDACTED/work/gh-aw/gh-aw/actions/node_modules/.bin/sh **/*.json --ignore-path ../../../.pretti--show-toplevel sh -c &#34;prettier&#34; --write &#39;../../../**/*.json&#39; &#39;!../../../pkg/workflow/js/**/*.json&#39; --ignore-path ../.git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --verify copilot/fix-workflow-call-fetch-error nfig/composer/vendor/bin/bash son (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha ath ../../../.pr**/*.json (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git flow-call-fetch-git --local ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 207551/b107/vet.rev-parse tions/setup/js/n--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel x_amd64/vet (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha --noprofile -tests /home/REDACTED/work/gh-aw/gh-aw/node_modules/.bin/sh ./../.prettieriggit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha --noprofile -tests /home/REDACTED/node_modules/.bin/sh ./../.prettieriggit (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --noprofile -tests /home/REDACTED/work/gh-aw/gh-aw/actions/setup/node_modules/.bin/sh ./../.prettieriggit (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --noprofile -tests /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/sh (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha se 207551/b068/vet.cfg cfg (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha ew@v1.1.1/spew/bypass.go ew@v1.1.1/spew/common.go 64/pkg/tool/linux_amd64/compile r (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha js/**/*.json&#39; --ignore-path ../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel -tests /home/REDACTED/node_modules/.bin/node (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha &#39;**/*.ts&#39; &#39;**/*.json&#39; --ignore-path ../../../.pr**/*.json 207551/b104/vet.cfg cfg (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha &#39;**/*.ts&#39; &#39;**/*.json&#39; --ignore-path ../../../.pr**/*.json 207551/b132/vet.cfg cfg (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ignore-path ../../../.prettierignore (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ignore-path ../../../.prettierignore (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan merged commit 1f8ddf9 into main Apr 15, 2026
@pelikhan pelikhan deleted the copilot/fix-workflow-call-fetch-error branch April 15, 2026 01:55
@github-actions github-actions bot mentioned this pull request Apr 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Workflow call failing to fetch .github repository (Exit Code 128)

3 participants

@pelikhan