🏥 Safe Output Health Report - November 21, 2025

[github-actions[bot]]

🏥 Safe Output Health Report - November 21, 2025

Executive Summary

Over the last 24 hours, 84 workflow runs were analyzed, resulting in 44 safe output job executions. The overall health of safe output jobs is excellent with a 93% success rate. Only 3 failures were identified, clustered into 2 distinct error patterns.

• Period: Last 24 hours (Nov 20-21, 2025)
• Runs Analyzed: 84
• Workflows Active: Multiple (daily-news, smoke-claude, dev-hawk, etc.)
• Safe Output Jobs Executed: 44
• Safe Output Jobs Failed: 3
• Error Clusters Identified: 2

Safe Output Job Statistics

Job Type	Total Executions	Failures	Success Rate
create_discussion	10	0	100% ✅
create_issue	13	0	100% ✅
add_comment	7	0	100% ✅
missing_tool	5	0	100% ✅
create_pull_request	6	2	67% ⚠️
push_to_pull_request_branch	3	1	67% ⚠️
TOTAL	44	3	93%

Error Clusters

Cluster 1: Permission Error - Unable to Request Reviewer Bot

• Count: 2 occurrences
• Affected Jobs: create_pull_request
• Affected Runs: §19544887449, §19552091991
• Severity: 🟡 Medium
• Sample Error:

  gh: Resource not accessible by personal access token (HTTP 403)
  {"message":"Resource not accessible by personal access token",
   "documentation_url":"https://docs.github.com/rest/pulls/review-requests#request-reviewers-for-a-pull-request",
   "status":"403"}
  

Root Cause: The GitHub token used by create_pull_request safe output jobs lacks permissions to request reviewers via the API endpoint /repos/githubnext/gh-aw/pulls/$PR_NUMBER/requested_reviewers. The PR is successfully created, but the subsequent step to add copilot-pull-request-reviewer[bot] as a reviewer fails with HTTP 403.

Impact:

• Pull requests are created successfully
• Automated reviewer assignment fails
• Requires manual reviewer assignment
• Job marked as failed even though PR creation succeeded

Technical Details:

gh api --method POST /repos/githubnext/gh-aw/pulls/$PR_NUMBER/requested_reviewers \
  -f 'reviewers[]=copilot-pull-request-reviewer[bot]'

This command fails because the GITHUB_TOKEN lacks the necessary scope or the requesting reviewers API endpoint requires additional permissions beyond pull_requests: write.

---

Cluster 2: Artifact Not Found - aw.patch Missing

• Count: 1 occurrence
• Affected Jobs: push_to_pull_request_branch
• Affected Runs: §19521286551
• Severity: 🔴 High
• Sample Error:

  ##[error]Unable to download artifact(s): Artifact not found for name: aw.patch
  Please ensure that your artifact is not expired and the artifact was uploaded
  using a compatible version of toolkit/upload-artifact.
  

Root Cause: The push_to_pull_request_branch job depends on an aw.patch artifact that should be uploaded by the agent job. The artifact is either:

1. Not being uploaded by the agent job
2. Uploaded with a different name
3. Failed to upload due to an error in the agent job
4. Expired before the safe output job executes (unlikely within same workflow)

Impact:

• Push to pull request branch completely fails
• Cannot apply patches to existing PRs
• Workflow fails to complete its intended action
• Critical dependency chain broken

Technical Details:
The job uses:

- uses: actions/download-artifact@v4
  with:
    name: aw.patch
    path: /tmp/gh-aw/

This suggests the agent job should upload an artifact named aw.patch containing the git patch to be applied.

Root Cause Analysis

Permission-Related Issues

The create_pull_request job failures are permission issues related to the GitHub API. The GITHUB_TOKEN used in the workflow has sufficient permissions to create pull requests but lacks the ability to request reviewers. According to GitHub's API documentation, requesting reviewers requires either:

• Organization-level permissions (for org-owned repos)
• Fine-grained token with additional scopes
• GitHub App with appropriate permissions

Data/Artifact Issues

The push_to_pull_request_branch failure is a dependency chain issue. The job assumes an artifact exists but cannot find it, indicating:

• Missing artifact upload step in agent job
• Incorrect artifact naming
• Conditional artifact upload that wasn't triggered
• Job dependency misconfiguration

Recommendations

Critical Issues (Immediate Action Required)

1. Fix Artifact Upload for push_to_pull_request_branch

• Priority: 🔴 Critical
• Root Cause: Missing aw.patch artifact
• Recommended Action:
  • Audit agent job to verify artifact upload step exists
  • Ensure artifact is uploaded with exact name "aw.patch"
  • Add validation to check artifact was successfully uploaded
  • Consider adding artifact retention policies
• Affected: push_to_pull_request_branch jobs
• Files to Check: Agent job configuration, workflow YAML files

---

Bug Fixes Required

2. Handle Reviewer Request Permission Gracefully

• Priority: 🟡 Medium
• File/Location: create_pull_request safe output job implementation
• Problem: Job fails after successfully creating PR when reviewer assignment fails
• Fix: Make reviewer assignment optional with graceful error handling
• Proposed Code Change:

  # Current (fails hard)
  gh api --method POST /repos/.../requested_reviewers ...
  
  # Proposed (graceful fallback)
  if ! gh api --method POST /repos/.../requested_reviewers ... 2>/dev/null; then
    echo "⚠️  Unable to assign reviewer (permissions required). PR created successfully."
    echo "Please manually assign reviewers if needed."
  fi

• Affected Jobs: create_pull_request

---

Configuration Changes

3. Update GITHUB_TOKEN Permissions for Reviewer Requests

• Priority: 🟡 Medium
• Current: GITHUB_TOKEN has pull_requests: write but cannot request reviewers
• Recommended:
  • If using GitHub App: Add pull_requests: write permission for "Request reviewers"
  • If using PAT: Ensure token has repo or public_repo scope
  • If using GITHUB_TOKEN: May need to switch to GitHub App or PAT with elevated permissions
• Reason: GitHub's API for requesting reviewers requires additional permissions beyond basic PR creation
• Documentation: https://docs.github.com/rest/pulls/review-requests#request-reviewers-for-a-pull-request

---

Work Item Plans

Work Item 1: Fix Missing aw.patch Artifact Upload

• Type: 🐛 Bug Fix
• Priority: 🔴 Critical
• Description: The push_to_pull_request_branch safe output job fails because it cannot find the required aw.patch artifact. Investigation is needed to determine why the artifact is not being uploaded by the agent job.

Acceptance Criteria:

• Agent job successfully uploads aw.patch artifact in all scenarios
• push_to_pull_request_branch job can consistently download the artifact
• Add validation/logging to confirm artifact upload success
• Add error handling for missing artifacts with clear error messages
• Test with at least 3 successful runs of push_to_pull_request_branch

Technical Approach:

1. Review agent job workflow definition to locate artifact upload step
2. Check if artifact upload is conditional and why condition might not be met
3. Verify artifact naming matches exactly between upload and download
4. Add explicit artifact upload step if missing
5. Add workflow logging to confirm artifact creation and upload
6. Test with sample workflow run that triggers push_to_pull_request_branch

Investigation Steps:

# Find where aw.patch should be created
grep -r "aw.patch" .github/workflows/

# Check agent job artifact upload configuration
# Look for actions/upload-artifact usage in agent jobs

# Verify artifact upload logic in safe output framework
grep -r "upload-artifact" pkg/workflow/

Estimated Effort: Medium (4-8 hours)

• 2 hours: Investigation and root cause identification
• 2 hours: Implementation of fix
• 2-4 hours: Testing and validation

Dependencies: None

---

Work Item 2: Make Reviewer Assignment Optional in create_pull_request

• Type: 🔧 Enhancement
• Priority: 🟡 Medium
• Description: The create_pull_request job fails after successfully creating a PR when it attempts to assign reviewers but lacks permissions. The job should succeed even if reviewer assignment fails, since the primary goal (PR creation) was achieved.

Acceptance Criteria:

• PR creation succeeds even if reviewer assignment fails
• Clear warning message when reviewer assignment fails due to permissions
• Job marked as successful when PR is created (regardless of reviewer assignment)
• Optionally add note to PR body when automatic reviewer assignment fails
• Backward compatible with existing workflows

Technical Approach:

1. Locate reviewer assignment code in create_pull_request safe output job
2. Wrap reviewer assignment in conditional/error handling
3. Log warning instead of failing when reviewer assignment fails
4. Optionally add comment to PR explaining manual reviewer assignment needed
5. Update job status logic to consider PR creation as primary success criterion

Files to Modify:

• pkg/safeoutputs/create_pull_request.go (or equivalent)
• Shell scripts used by create_pull_request job
• Workflow job builders for create_pull_request

Proposed Implementation:

# Add error handling for reviewer request
set +e  # Don't exit on error for reviewer assignment
gh api --method POST /repos/githubnext/gh-aw/pulls/$PR_NUMBER/requested_reviewers \
  -f 'reviewers[]=copilot-pull-request-reviewer[bot]' 2>&1 | tee /tmp/reviewer_result.txt
REVIEWER_EXIT=$?
set -e

if [ $REVIEWER_EXIT -ne 0 ]; then
  echo "⚠️  Warning: Unable to assign automatic reviewers (requires additional permissions)"
  echo "PR #$PR_NUMBER created successfully but reviewer assignment failed"
  echo "Please manually assign reviewers as needed"

  # Optionally add comment to PR
  gh pr comment $PR_NUMBER --body "⚠️  Automated reviewer assignment failed due to permission constraints. Please manually assign reviewers."
else
  echo "✅  Reviewers assigned successfully"
fi

Estimated Effort: Small (2-4 hours)

• 1 hour: Code changes
• 1 hour: Testing
• 1-2 hours: Documentation and review

Dependencies: None

---

Work Item 3: Document Token Permission Requirements

• Type: 📚 Documentation
• Priority: 🟢 Low
• Description: Create clear documentation explaining the token permissions required for each safe output job type, especially for operations that require elevated permissions like requesting reviewers.

Acceptance Criteria:

• Document all safe output job types and their permission requirements
• Add troubleshooting section for common permission errors
• Include examples of token configuration for different scenarios (PAT, GitHub App, GITHUB_TOKEN)
• Add permission requirement checks to safe output job validation
• Link to GitHub's official permission documentation

Technical Approach:

1. Audit all safe output job types and their API calls
2. Document minimum required permissions for each API endpoint
3. Create troubleshooting guide for 403 errors
4. Add permission validation to safe output job framework
5. Update README and developer documentation

Content to Include:

• Permission matrix: job type → required scopes
• How to configure GitHub Apps vs PATs
• Common permission errors and solutions
• Testing permission configurations
• Security best practices

Estimated Effort: Small (2-4 hours)

Dependencies: Work Item 2 (to document recommended approach)

Historical Context

First Audit: This is the inaugural Safe Output Health Report. No historical data is available for trend analysis. Future audits will compare against this baseline.

Trends

• Most Reliable Job Types: add_comment, create_discussion, create_issue, missing_tool (100% success rate)
• Most Problematic Job Types: create_pull_request, push_to_pull_request_branch (67% success rate)
• Primary Issue Categories:
  1. Permission/Authorization (2 failures)
  2. Dependency/Artifact Management (1 failure)

Metrics and KPIs

• Overall Safe Output Success Rate: 93% ✅
• Most Reliable Job Type: add_comment, create_discussion, create_issue, missing_tool (100%)
• Most Problematic Job Type: create_pull_request, push_to_pull_request_branch (67%)
• Average Failures Per Day: 3
• Error Clustering Effectiveness: 100% (all failures clustered into 2 distinct patterns)

Next Steps

• Complete safe output health audit for last 24 hours
• Identify and cluster error patterns
• Create work item plans for fixes
• Investigate aw.patch artifact upload in agent jobs (Critical)
• Implement graceful error handling for reviewer assignment (Medium priority)
• Document permission requirements for safe output jobs (Low priority)
• Re-run audit in 24 hours to measure improvement

---

References:

• §19521286551
• §19544887449
• §19552091991

AI generated by Safe Output Health Monitor