[aw-failures] safe_outputs rejects add_comment items missing item_number when target:* is configured (PR Sous Chef, Contribution Check)

[github-actions]

Parent report: #35351

Problem

Three scheduled workflow runs failed in the last 6 hours with an identical, deterministic safe_outputs validation error:

##[error]✗ Message N (add_comment) failed: Target is "*" but no item_number/issue_number/pull_request_number/pr_number/pr/pull_number specified in add_comment item

The agent job ran to completion in every case; only the post-step safe_outputs job failed, which means the agent emitted add_comment items that the workflow's safe-outputs config marks as invalid. Because the failure is a hard validation (job exits non-zero), the entire workflow run is marked failure even though every other side effect succeeded.

Affected workflows and runs

Workflow	Run	Started (UTC)	Items rejected
PR Sous Chef	§26546260854	2026-05-28 00:07	2 of 3 add_comment items
PR Sous Chef	§26543349520	2026-05-27 22:49	2 of 3 add_comment items
Contribution Check	§26539586973	2026-05-27 21:23	2 of 4 add_comment items

Probable Root Cause

Both workflows declare safe-outputs.add-comment.target: "*" (.github/workflows/pr-sous-chef.md:132–135, .github/workflows/contribution-check.md:44–48). With target: "*" the safe-outputs processor requires every emitted item to carry an explicit target identifier (one of item_number, issue_number, pull_request_number, pr_number, pr, pull_number).

The agents in these workflows are emitting items that do not include any of those fields. Sample item from PR Sous Chef run §26546260854:

{
  "body": "<!-- gh-aw-pr-sous-chef-nudge -->\n@copilot review all comments and address the unresolved review threads...",
  "type": "add_comment",
  "temporary_id": "aw_aBpnpZZN"
}

The PR Sous Chef agent appears to have lost the active PR number between the loop that selected the PR and the call that emitted the add_comment. The Contribution Check agent appears to have intended to comment on PRs (e.g. #35304, #35305, #35286) but emitted items without issue_number, despite line 182 of contribution-check.md explicitly instructing "emit one add_comment safe output using issue_number and body".

Proposed Remediation (pick one — or both)

1. Workflow prompt tightening (preferred, lowest blast radius). Update the add_comment instruction blocks in pr-sous-chef.md and contribution-check.md so each tool-call template explicitly includes pr_number (PR Sous Chef) / issue_number (Contribution Check) as a required field, ideally with a worked example that shows the target being read from the loop variable. The contribution-checker prompt at contribution-check.md:182 already says this — but the agent isn't following it. A more directive phrasing, plus an explicit "never emit add_comment without a numeric target" rule, would help.
2. Defensive processor fallback. Optionally, allow the safe-outputs processor to inherit a target from the run's GitHub event context (pull_request.number on PR events, issue.number on issue events) when target: "*" is set and no per-item target is provided, instead of hard-failing. This is broader-scope and risks masking real bugs, so it should only land if option 1 doesn't stabilise these workflows.

Verification Steps Before Closing

• Check the agent emissions in successful PR Sous Chef runs (e.g. §26544899788) to confirm whether they include pr_number — i.e. whether the failing runs are a regression or a sporadic agent miss.
• After applying the prompt fix, the next 3 scheduled runs of each workflow must complete with safe_outputs succeeding.
• No new safe_outputs add_comment rejections should appear in agenticworkflows logs --start_date -24h for these workflow names.

Success Criteria

• add_comment validation errors stop appearing in the safe_outputs job logs of PR Sous Chef and Contribution Check.
• All scheduled runs of these two workflows return to conclusion: success (modulo unrelated failures).
• A regression test or workflow-lint rule is in place to detect add_comment items lacking a numeric target before they reach the safe-outputs processor (optional but recommended).

References

• Parent report: [aw-failures] Failure Investigator (6h) — 4 failures, safe_outputs add_comment validation breaks 3 workflows (2026-05-27 19:24 → 2026-05-28 01 [Content truncated due to length] #35351
• Workflow source: .github/workflows/pr-sous-chef.md, .github/workflows/contribution-check.md
• Safe-outputs runtime logs: /tmp/gh-aw/aw-mcp/logs/run-2654{6260854,3349520}/workflow-logs/1_safe_outputs.txt, /tmp/gh-aw/aw-mcp/logs/run-26539586973/workflow-logs/1_safe_outputs.txt
  Related to [aw-failures] Failure Investigator (6h) — 4 failures, safe_outputs add_comment validation breaks 3 workflows (2026-05-27 19:24 → 2026-05-28 01 [Content truncated due to length] #35351

Generated by 🔍 [aw] Failure Investigator (6h) · opus47 17.4M · ◷

• expires on Jun 4, 2026, 1:34 AM UTC

[github-actions]

🍪 Issue Monster selected this for Copilot

I've identified this issue as a good candidate for automated resolution and requested assignment to the Copilot coding agent.

If assignment succeeds, the Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · haiku45 25K · ◷