fix(keepalive): use always() to ensure reusable workflow job is created

[stranske]

Problem

After PR #109, the Keepalive next task job still wasn't appearing in workflow runs even when evaluate.outputs.action == 'run'.

Root Cause

GitHub Actions evaluates if: conditions for reusable workflow jobs at workflow startup time, potentially before dependency job outputs are available. This means:

• if: needs.evaluate.outputs.action == 'run' is evaluated BEFORE evaluate runs
• At startup, action is empty/undefined, so the condition is false
• The job is never created in the workflow graph

Evidence

• Run 20487171966: summary job shows action: 'run', reason: 'ready'
• But only 3 jobs appeared: Evaluate, Verify secrets, Update summary
• Keepalive next task was missing from the job graph entirely

Solution

Use always() to ensure the job is always created in the workflow graph:

if: ${{ always() && needs.evaluate.result == 'success' && needs.evaluate.outputs.action == 'run' }}

The always() forces job creation. The rest of the condition determines if it actually runs once evaluate completes.

Automated Status Summary

Scope

• Scope section missing from source issue.

Tasks

• Restrict triggers:
• do not run agent workflows on forked PRs
• avoid pull_request_target unless absolutely necessary
• Ensure prompts are repo-owned:
• use prompt-file from .github/codex/prompts/
• build a small “context appendix” file that includes sanitized task text
• Add allowlists:
• allow-users / allow-bots in codex-action config
• only repo collaborators can trigger
• Add denylist behaviors:
• Codex should not edit .github/workflows/** unless a special environment-approved mode is enabled
• Codex should not touch secrets or tokens (explicit instruction + sandbox limits)
• Add logging + red flags:
• if prompt contains “ignore previous”, HTML comments, base64 blobs, etc, stop and require human

Acceptance criteria

• - Malicious-looking issue text does not get passed verbatim into Codex execution.
• - Agent workflows only run for trusted actors and trusted events.
• Head SHA: 58da3fb
• Latest Runs: ✅ success — Gate
• Required: gate: ✅ success
• | Workflow / Job | Result | Logs |
• |----------------|--------|------|
• | Agents PR meta manager | ❔ in progress | View run |
• | CI Autofix Loop | ✅ success | View run |
• | Gate | ✅ success | View run |
• | Health 40 Sweep | ✅ success | View run |
• | Health 44 Gate Branch Protection | ✅ success | View run |
• | Health 45 Agents Guard | ✅ success | View run |
• | Health 50 Security Scan | ✅ success | View run |
• | Maint 52 Validate Workflows | ✅ success | View run |
• | PR 11 - Minimal invariant CI | ✅ success | View run |
• | Selftest CI | ✅ success | View run |
• Head SHA: ea11578
• Latest Runs: ✅ success — Gate
• Required: gate: ✅ success
• | Workflow / Job | Result | Logs |
• |----------------|--------|------|
• | Agents PR meta manager | ❔ in progress | View run |
• | CI Autofix Loop | ✅ success | View run |
• | Gate | ✅ success | View run |
• | Health 40 Sweep | ✅ success | View run |
• | Health 44 Gate Branch Protection | ✅ success | View run |
• | Health 45 Agents Guard | ✅ success | View run |
• | Health 50 Security Scan | ✅ success | View run |
• | Maint 52 Validate Workflows | ✅ success | View run |
• | PR 11 - Minimal invariant CI | ✅ success | View run |
• | Selftest CI | ✅ success | View run |

Head SHA: 83cc76d
Latest Runs: ✅ success — Gate
Required: gate: ✅ success

Workflow / Job	Result	Logs
Agents PR meta manager	❔ in progress	View run
CI Autofix Loop	✅ success	View run
Copilot code review	✅ success	View run
Gate	✅ success	View run
Health 40 Sweep	✅ success	View run
Health 44 Gate Branch Protection	✅ success	View run
Health 45 Agents Guard	✅ success	View run
Health 50 Security Scan	✅ success	View run
Maint 52 Validate Workflows	✅ success	View run
PR 11 - Minimal invariant CI	✅ success	View run
Selftest CI	✅ success	View run

[github-actions]

Automated Status Summary

Head SHA: ac7aa22
Latest Runs: ⏳ pending — Gate
Required contexts: Gate / gate, Health 45 Agents Guard / Enforce agents workflow protections
Required: core tests (3.11): ⏳ pending, core tests (3.12): ⏳ pending, docker smoke: ⏳ pending, gate: ⏳ pending

Workflow / Job	Result	Logs
(no jobs reported)	⏳ pending	—

Coverage Overview

• Coverage history entries: 1

Coverage Trend

Metric	Value
Current	77.97%
Baseline	0.00%
Delta	+77.97%
Minimum	70.00%
Status	✅ Pass

Updated automatically; will refresh on subsequent CI/Docker completions.

---

Keepalive checklist

Scope

No scope information available

Tasks

• No tasks defined

Acceptance criteria

• No acceptance criteria defined

[Copilot]

Pull request overview

This PR fixes a GitHub Actions workflow issue where the Keepalive next task job was not appearing in workflow runs even when the condition should have evaluated to true. The root cause was that GitHub Actions evaluates if: conditions for reusable workflow jobs at workflow startup time, before dependency job outputs are available.

Key changes:

• Updated the if: condition on the run-codex job to use always() combined with explicit success and output checks

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The ${{ }} expression wrapper is redundant in the if: condition since GitHub Actions already evaluates expressions in this context. For consistency with other conditions in this workflow (lines 126 and 174), consider removing the wrapper to use: if: always() && needs.evaluate.result == 'success' && needs.evaluate.outputs.action == 'run'

Suggested change

	if: ${{ always() && needs.evaluate.result == 'success' && needs.evaluate.outputs.action == 'run' }}
	if: always() && needs.evaluate.result == 'success' && needs.evaluate.outputs.action == 'run'