Upgrade gh-aw to v0.81.6 and isolate agentic workflows into copilot-pat-pool environment#129840
Merged
jeffhandley merged 3 commits intoJul 8, 2026
Merged
Conversation
…at-pool environment - Update PAT Pool workflow to require an environment input - Update PAT Pool README - Update PAT Pool comments and template in all workflows - Remove copilot-echo workflow that is no longer needed
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repo’s gh-aw (Agentic Workflows) setup to the newer v0.79.8-generated lockfiles and moves agentic workflows onto an isolated copilot-pat-pool environment, while updating the PAT pool import/docs and removing the legacy copilot-echo workflow.
Changes:
- Upgrade generated
.lock.ymlworkflows to gh-aw v0.79.8 output and associated action/container pins. - Require agentic workflows to run under the
copilot-pat-poolenvironment and pass an explicitenvironmentinput into the sharedpat_pool.mdimport. - Update PAT pool documentation and remove the no-longer-needed
copilot-echoworkflow + lockfile.
Reviewed changes
Copilot reviewed 16 out of 18 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-pat-pool.yml | Adds copilot-pat-pool environment to the validation job and updates the gh-aw setup action pin. |
| .github/workflows/shared/pat_pool.README.md | Documents the new environment-based PAT pool setup and updated import usage. |
| .github/workflows/shared/pat_pool.md | Makes environment a required import input and applies it to the pat_pool job. |
| .github/workflows/README.md | Updates guidance for skipping workflows in forks via github.event.repository.fork. |
| .github/workflows/copilot-echo.md | Removes the obsolete echo harness workflow. |
| .github/workflows/copilot-echo.lock.yml | Removes the generated lockfile for the obsolete echo workflow. |
| .github/workflows/code-review.md | Updates PAT pool import to pass environment and runs in copilot-pat-pool. |
| .github/workflows/code-review.lock.yml | Regenerated by gh-aw v0.79.8; incorporates environment isolation and new runtime/guardrail logic. |
| .github/workflows/ci-failure-scan.md | Updates PAT pool import and environment isolation for the scanner workflow. |
| .github/workflows/ci-failure-scan-feedback.md | Updates PAT pool import/environment and adjusts safe-output config fields. |
| .github/workflows/ci-failure-fix.md | Updates PAT pool import and environment isolation for the fixer workflow. |
| .github/workflows/breaking-change-doc.md | Updates PAT pool import and environment isolation for breaking-change-doc generation. |
| .github/dependabot.yml | Adjusts ignore rules for github/gh-aw-actions dependencies managed by gh-aw compilation. |
| .github/aw/actions-lock.json | Updates action lock entries for gh-aw v0.79.8 (including setup-cli). |
jonathanpeppers
pushed a commit
to dotnet/android-tools
that referenced
this pull request
Jun 29, 2026
## Summary
- migrate the Android Tools GH-AW reviewer workflow to the Copilot PAT pool model
- add the shared PAT pool import and README under `.github/workflows/shared/`
- add `validate-pat-pool.yml` so the PAT pool can be checked independently
- recompile the generated lock workflow and update `.github/aw/actions-lock.json`
## Validation
- `gh aw compile .github/workflows/android-tools-reviewer.md --schedule-seed dotnet/android-tools --approve`
- `dotnet build Xamarin.Android.Tools.sln`
- `dotnet test tests\Microsoft.Android.Build.BaseTasks-Tests\Microsoft.Android.Build.BaseTasks-Tests.csproj`
- `dotnet test tests\Xamarin.Android.Tools.AndroidSdk-Tests\Xamarin.Android.Tools.AndroidSdk-Tests.csproj` still has the pre-existing `JdkDirectory_JavaHome("JI_JAVA_HOME")` failure in both the feature worktree and the clean `main` checkout because `JAVA_HOME` is set in the local environment
## Security review note
I reviewed the newly introduced secret references, action revisions, and generated workflow manifest changes from the PAT pool migration.
### Secrets
Added restricted secrets:
- `COPILOT_PAT_0`
- `COPILOT_PAT_1`
- `COPILOT_PAT_2`
- `COPILOT_PAT_3`
- `COPILOT_PAT_4`
- `COPILOT_PAT_5`
- `COPILOT_PAT_6`
- `COPILOT_PAT_7`
- `COPILOT_PAT_8`
- `COPILOT_PAT_9`
These are only used to select a PAT slot number inside the isolated `pat_pool` job and then resolve the selected slot through a `case(...)` expression in `engine.env`, matching the documented pattern in [dotnet/vitals PAT pool guidance](https://github.com/dotnet/vitals/blob/main/.github/workflows/shared/pat_pool.README.md) and the example in [dotnet/xharness#1626](dotnet/xharness#1626).
### Actions and generated runtime updates
- `github/gh-aw-actions/setup` updated from `v0.79.8` to `v0.80.9` (`8c7d04ebf1ece56cd381446125da3e0f6896294a`)
- generated workflow containers updated to the compiler-selected set from `gh aw` v0.80.9:
- `ghcr.io/github/gh-aw-firewall/agent:0.27.7`
- `ghcr.io/github/gh-aw-firewall/api-proxy:0.27.7`
- `ghcr.io/github/gh-aw-firewall/squid:0.27.7`
- `ghcr.io/github/gh-aw-mcpg:v0.3.27`
- `ghcr.io/github/gh-aw-node`
- `ghcr.io/github/github-mcp-server:v1.4.0`
I reviewed these as safe because they are generated by the official `gh aw` compiler during recompilation of the existing workflow, align with the PAT pool migration shape used in [dotnet/runtime#129840](dotnet/runtime#129840), and do not introduce any custom third-party action beyond the standard GitHub / gh-aw generated set already used by this workflow.
### Redirect changes
No redirect changes were introduced.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
vitek-karas
added a commit
that referenced
this pull request
Jul 1, 2026
Updates the three CI outer-loop agentic workflows to use Claude Opus 4.8, since Opus 4.6 is obsoleted: - `ci-failure-fix` (CI Outer-Loop Failure Fixer) - `ci-failure-scan` (CI Outer-Loop Failure Scanner) - `ci-failure-scan-feedback` (CI Outer-Loop Failure Scanner — Feedback) Each `.md` source changes `engine.model` from `claude-opus-4.6` to `claude-opus-4.8`. The `.lock.yml` files keep their existing content on `main` (compiler v0.71.5, including the hand-pinned `gh-aw-firewall` v0.27.7 images from #129616) and change **only** the model — the five `claude-opus-4.6` tokens plus the recomputed `frontmatter_hash`. No firewall, image-pin, cron, or other lock changes; the net diff vs `main` is exactly the model bump (18 insertions / 18 deletions across 6 files). ### Coordination note This overlaps with #129840, which upgrades gh-aw to v0.79.8 (schema v4) and recompiles the same files while keeping the model at Opus 4.6. If #129840 merges first, this branch should be rebased and the locks recompiled with v0.79.8 so it doesn't downgrade the compiler. > [!NOTE] > This pull request was authored by GitHub Copilot (AI-generated). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
vitek-karas
approved these changes
Jul 8, 2026
akoeplinger
reviewed
Jul 8, 2026
| job-1: | ||
| # Do not run this job in forks | ||
| if: github.repository == 'dotnet/runtime' | ||
| if: ${{ !github.event.repository.fork }} |
Member
There was a problem hiding this comment.
@jeffhandley @vitek-karas I don't think this works, I get the following error after pushing:
[Invalid workflow file: .github/workflows/ci-failure-scan-feedback.lock.yml#L1](https://github.com/dotnet/runtime/actions/runs/28930702147/workflow)
Unexpected tag '!github.event.repository.fork'
might need to do an explicit coercion to bool: github.event.repository.fork != true
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Portions of this pull request description were updated with the assistance of GitHub Copilot.