Merged
Conversation
* fix: correct YAML syntax in agents-issue-intake.yml template The 'if' condition in the check_labels job was improperly formatted, causing the line to wrap incorrectly with 'runs-on' ending up on the same line. This resulted in startup_failure errors when the workflow was deployed to consumer repos. Changes: - Use multiline scalar (|) for complex if condition - Properly indent continuation lines - Ensure runs-on is on its own line Fixes workflow failures in stranske/Travel-Plan-Permission and other consumer repositories using this template. * fix: add validation safeguards for template changes Problem: Template changes sync to 4+ consumer repos. A syntax error in agents-issue-intake.yml caused startup_failure in all consumer repos because there was no validation preventing bad templates. Changes: 1. Fix YAML syntax error in check_labels job (multiline if condition) 2. Add validate_workflow_yaml.py script to catch YAML/style issues 3. Add pre-commit hook to validate templates before commit 4. Add CRITICAL section to CLAUDE.md about template changes Safeguards added: - Pre-commit hook blocks template commits with validation errors - Script checks: YAML syntax, line length (100), runs-on placement - Clear warning in CLAUDE.md with validation commands - Enforces repo standards before sync Related: Travel-Plan-Permission#253, Workflows#602
* fix: correct YAML syntax in agents-issue-intake.yml template The 'if' condition in the check_labels job was improperly formatted, causing the line to wrap incorrectly with 'runs-on' ending up on the same line. This resulted in startup_failure errors when the workflow was deployed to consumer repos. Changes: - Use multiline scalar (|) for complex if condition - Properly indent continuation lines - Ensure runs-on is on its own line Fixes workflow failures in stranske/Travel-Plan-Permission and other consumer repositories using this template. * fix: add validation safeguards for template changes Problem: Template changes sync to 4+ consumer repos. A syntax error in agents-issue-intake.yml caused startup_failure in all consumer repos because there was no validation preventing bad templates. Changes: 1. Fix YAML syntax error in check_labels job (multiline if condition) 2. Add validate_workflow_yaml.py script to catch YAML/style issues 3. Add pre-commit hook to validate templates before commit 4. Add CRITICAL section to CLAUDE.md about template changes Safeguards added: - Pre-commit hook blocks template commits with validation errors - Script checks: YAML syntax, line length (100), runs-on placement - Clear warning in CLAUDE.md with validation commands - Enforces repo standards before sync Related: Travel-Plan-Permission#253, Workflows#602
The workflow now uses the CODESPACES_WORKFLOWS secret which has merge permissions, falling back to GITHUB_TOKEN if not available. Successfully merged sync PRs in Manager-Database, Template, and trip-planner using this token.
- Parse multiline REGISTERED_CONSUMER_REPOS env var instead of hardcoded list - Add stale PR cleanup: close and delete branches for older sync PRs - Process repos in order from REGISTERED_CONSUMER_REPOS (7 repos total) - Increase per_page to 20 to catch multiple stale PRs - Add stale_closed status tracking in summary
- Extract consumer repo list from maint-68-sync-consumer-repos.yml at runtime - Use yq to parse the authoritative REGISTERED_CONSUMER_REPOS env var - Remove duplicated hardcoded list to maintain single source of truth
- Change default max_length from 150 to 100 to match repo standards (black, ruff, isort) - Add explicit encoding='utf-8' to all file operations for cross-platform compatibility - Remove redundant condition check (already verified by elif condition)
- Add critical section to CLAUDE.md about checking new workflows for file artifacts - Create comprehensive WORKFLOW_ARTIFACT_CHECKLIST.md with decision trees and examples - Document common artifact patterns that cause merge conflicts in consumer repos - Provide recovery procedures for artifact pollution - Emphasize template workflows sync to 7+ repos (one mistake = 7+ conflicts)
- Require addressing ALL bot comments before merging PRs - Document that bot comments are mandatory fixes, not suggestions - Provide process for evaluating and resolving bot feedback - Emphasize impact: ignored comments → bugs in 7+ consumer repos - Add examples of critical issues bots catch (encoding, defaults, logic)
- Add workflow to EXPECTED_NAMES test mapping - Document in docs/ci/WORKFLOWS.md with description - Add to docs/ci/WORKFLOW_SYSTEM.md workflow table - Fixes test failures: test_canonical_workflow_names_match_expected_mapping, test_workflow_names_match_filename_convention, test_inventory_docs_list_all_workflows
- Quote $repos variable in yq pipeline to prevent word splitting (SC2086) - Quote $GITHUB_OUTPUT and $GITHUB_STEP_SUMMARY variables - Fixes shellcheck warnings in actionlint
The fallback to GITHUB_TOKEN causes merge failures since GITHUB_TOKEN lacks merge permissions. Require CODESPACES_WORKFLOWS secret explicitly.
Keep CODESPACES_WORKFLOWS without fallback to fix merge permissions.
Prevents merge conflicts and wasted CI resources by requiring git fetch/merge before gh pr create.
- Consumer repos should automatically create bootstrap PRs when issues are labeled with agent:codex or similar labels - Previously used 'invite' mode which only waits for humans to create PRs - Changed template to 'create' mode to enable automatic PR creation - This will propagate to all consumer repos via sync workflow Also fixed line length issues to pass validation.
Root cause: The reusable issue bridge workflow was hardcoded to always use 'invite' mode for issue events, ignoring the mode input parameter. This prevented automatic PR creation when issues are labeled. The logic at line 257-268 always overrides mode to 'invite' when eventName === 'issues', with the rationale that 'the human post lands on the issue'. However, this breaks the desired workflow of auto-creating bootstrap PRs when issues are labeled with agent:codex. Solution: - Add force_mode boolean input to reusable workflow - When force_mode=true, respect the mode input regardless of event type - Update consumer template to pass force_mode: true - This allows mode: create to work for issue events while maintaining backward compatibility (default force_mode=false preserves old behavior) This is the correct fix after 5 attempts - the previous attempts only changed the mode input but didn't account for the hardcoded override.
Root cause: PR #89 removed the permissions block from the sync job, breaking the chatgpt_sync workflow that processes topic files to create issues. The sync job calls agents-63-issue-intake.yml which needs: - contents: read (to checkout repo and read topic files) - issues: write (to create/update issues) - id-token: write (for GitHub OIDC token) - models: read (for LangChain formatting with GitHub Models) Without these permissions, the workflow cannot process files or create issues from topic files. This fixes the actual issue - file processing in chatgpt_sync mode.
COMPLETE ROOT CAUSE ANALYSIS:
The format_created_issues job in agents-63-issue-intake.yml uses:
GH_TOKEN: ${{ github.token }}
GITHUB_TOKEN: ${{ github.token }}
When a reusable workflow is called:
- Without secrets: inherit → github.token has NO permissions
- With explicit secrets → github.token still has NO permissions
- With secrets: inherit → github.token gets caller's permissions
The consumer template was passing explicit secrets (SERVICE_BOT_PAT,
OWNER_PR_PAT) but NOT using 'secrets: inherit'. This meant:
1. The sync job in the reusable workflow couldn't use github.token
2. gh CLI and GitHub API calls failed with permission errors
3. Files were processed but issues couldn't be created/updated
The permissions block on the sync job sets what github.token CAN have,
but secrets: inherit is what actually PASSES that token to the reusable
workflow with those permissions.
This is the actual fix. Testing flow:
1. User triggers workflow_dispatch with chatgpt_sync mode
2. route job determines mode → should_run_sync=true
3. sync job calls agents-63-issue-intake.yml with secrets: inherit
4. chatgpt_sync job has contents:read, issues:write permissions
5. format_created_issues job has those + id-token:write + models:read
6. Both jobs can use github.token with proper permissions
7. Files are processed, issues created, LangChain formatting applied
Contributor
stranske
temporarily deployed
to
agent-high-privilege
GitHub Actions
Inactive
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses workflow startup failures by modifying the agent issue intake workflow behavior and adding process documentation. The primary changes involve switching from "invite" mode to "create" mode with a force mode override, adjusting secret handling, and documenting best practices for branch synchronization.
Key Changes
- Changed agent bridge workflow from "invite" to "create" mode with
force_mode: trueto override event-based mode selection - Added
force_modeinput parameter to the reusable agent bridge workflow to allow bypassing event-driven mode logic - Modified secret handling in sync job from explicit secrets to
secrets: inheritand added permissions block
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| templates/consumer-repo/.github/workflows/agents-issue-intake.yml | Updated bridge job mode to "create" with force_mode, reformatted comments, added permissions to sync job, changed to inherited secrets |
| .github/workflows/reusable-agents-issue-bridge.yml | Added force_mode input parameter and conditional logic to override event-based mode selection |
| .github/workflows/maint-71-merge-sync-prs.yml | Removed fallback to GITHUB_TOKEN, now only uses CODESPACES_WORKFLOWS secret |
| CLAUDE.md | Added documentation section emphasizing the importance of syncing with main before creating PRs |
Comments suppressed due to low confidence (1)
templates/consumer-repo/.github/workflows/agents-issue-intake.yml:168
- The mode has been changed from "invite" to "create" with force_mode enabled. This represents a significant behavior change that will affect how agent assignment works. Ensure this is the intended behavior and that all calling workflows and downstream systems expect this mode change. The "create" mode may have different side effects compared to "invite" mode.
mode: "create"
post_agent_comment: ${{ inputs.post_codex_comment && 'true' || 'false' }}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Automated Status SummaryHead SHA: 54cc3ec
Coverage Overview
Coverage Trend
Top Coverage Hotspots (lowest coverage)
Updated automatically; will refresh on subsequent CI/Docker completions. Keepalive checklistScopeNo scope information available Tasks
Acceptance criteria
|
Contributor
🤖 Keepalive Loop StatusPR #606 | Agent: Codex | Iteration 0/5 Current State
🔍 Failure Classification| Error type | infrastructure | |
This was referenced Jan 7, 2026
stranske
added a commit
that referenced
this pull request
Jan 7, 2026
Root cause: Consumer repos were using mode: 'invite' without force_mode, causing the reusable workflow to ignore the mode and prevent automatic bootstrap PR creation when issues are labeled with agent:codex. Changes: - Change mode from 'invite' to 'create' in bridge job template - Add force_mode: true to override issue event defaults This template change will sync to all consumer repos: - Travel-Plan-Permission - Trend_Model_Project - Manager-Database - trip-planner - Template - And others When synced, all consumer repos will support automatic PR creation when issues are labeled with agent:* labels, fixing startup_failure issues. Related: Trend_Model_Project#4185, PR #606
stranske
added a commit
that referenced
this pull request
Jan 7, 2026
Root cause: Consumer repos were using mode: 'invite' without force_mode, causing the reusable workflow to ignore the mode and prevent automatic bootstrap PR creation when issues are labeled with agent:codex. Changes: - Change mode from 'invite' to 'create' in bridge job template - Add force_mode: true to override issue event defaults This template change will sync to all consumer repos: - Travel-Plan-Permission - Trend_Model_Project - Manager-Database - trip-planner - Template - And others When synced, all consumer repos will support automatic PR creation when issues are labeled with agent:* labels, fixing startup_failure issues. Related: Trend_Model_Project#4185, PR #606
This was referenced Jan 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.