[aw-failures] [aw] Daily News push_repo_memory fails — orphan branch 'memory/daily-news' first push rejected (GH013: unsigned co [Content truncated due to length]

[github-actions]

Fix the repo-memory push helper to sign (or API-seed) the first commit on orphan memory branches — every Daily News scheduled run now dies at push_repo_memory even though the agent fully succeeds.

Parent report: #39883.

Problem statement

The push_repo_memory job fails after 4 retries pushing the orphan branch memory/daily-news. The branch's first commit is unsigned, but the repo enforces Commits must have verified signatures (GH013), so the push is rejected on every attempt. pushSignedCommits detects an empty baseRef on the orphan first-push and falls back to a plain git push, which pushes the unsigned local commit — guaranteeing rejection.

Affected workflows and run IDs

• Daily News (.github/workflows/daily-news.lock.yml), engine copilot, trigger schedule — §27799081331 (2026-06-19 01:06 UTC). Agent job succeeded (audit: 42 turns, 2,394,762 tokens, 0 firewall blocks); only push_repo_memory failed.
• Failing step: Push repo-memory changes (default) — commit 4eacdf4fa6d183a79acf0dee399542cc717cd786 rejected on all 4 attempts with remote: error: GH013: Repository rule violations found for refs/heads/memory/daily-news / Commits must have verified signatures.

Probable root cause

The signed-commit push path has an orphan-branch gap. On the first push of a new memory branch, baseRef is empty, so pushSignedCommits logs empty baseRef detected (orphan branch first push), using git push directly for branch memory/daily-news and pushes the locally-created unsigned commit instead of creating a signed commit via the GitHub API. Under the verified signatures ruleset this is always rejected. The helper even prints the manual remediation (git switch --orphan ... commit -S ... push) but cannot self-seed.

Proposed remediation

1. In pushSignedCommits, handle the orphan / empty-baseRef case by creating the first commit through the GitHub API (Create-tree + Create-commit, or Create-or-update-file-contents), which yields a verified signature — instead of falling back to unsigned git push.
2. Alternatively, auto-seed each new memory branch with an empty signed commit via the API before the first content push.
3. Surface this as a distinct classified failure class (e.g. memory_push_unsigned_orphan) so it is not conflated with agent-step failures.

Success criteria / verification

1. A subsequent Daily News run pushes memory/daily-news successfully (no GH013 rejection) and push_repo_memory is green.
2. The orphan first-push path produces a commit with a verified signature.
3. Daily News reaches an overall successful run on main.

Relationship to #40074

The chronic agent-step failure tracked in #40074 (Copilot CLI exit 127 / node missing in AWF chroot, turns=0) is no longer reproducing: audit-diff of this run vs the prior failing run §27760141601 shows turns 0 → 42 and token_usage 0 → 2,394,762. The Daily News failure has shifted from the agent step to this memory-push step. #40074 is being closed as resolved.

Analyzed run: 27799081331. Comparator (drift): 27799081331 → 27760141601.
Related to #39883

Generated by 🔍 [aw] Failure Investigator (6h) · 205.4 AIC · ⌖ 12.6 AIC · ⊞ 4.9K · ◷

• expires on Jun 25, 2026, 5:54 PM UTC-08:00

[github-actions]

🍪 Issue Monster selected this for Copilot

I've identified this issue as a good candidate for automated resolution and requested assignment to the Copilot coding agent.

If assignment succeeds, the Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · 6.56 AIC · ⌖ 3.37 AIC · ⊞ 6.4K · ◷

[copilot-swe-agent]

The agent encountered an error and was unable to start working on this issue: Please try again later, or contact support if the problem persists. (Request id: 1C41:29ED83:D074D7B:3043C035:6A34B71B)