feat: add gh-aw-detection: true to 4 flagged audit/analysis workflows#45575
Conversation
Add `gh-aw-detection: true` to the `features` frontmatter of: - typist.md (Typist - Go Type Analysis) - github-mcp-structural-analysis.md (GitHub MCP Structural Analysis) - prompt-clustering-analysis.md (Copilot Agent Prompt Clustering Analysis) - example-workflow-analyzer.md (Weekly Workflow Analysis) Note: agentic-token-audit.md (Daily Agentic Workflow AIC Usage Audit) has `source: githubnext/agentic-ops@...` and is upstream-managed — changes must go through the upstream repo first. Closes #45284 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
🤖 PR Triage — Run §29379921158
Score breakdown: impact 10 + urgency 8 + quality 12 Rationale: Adds
|
|
Thanks for tackling the Suggested next step: move this into an issue/implementation plan that lists the target workflow markdown files, expected lockfile recompilation, and validation commands/results.
|
There was a problem hiding this comment.
Pull request overview
Adds external gh-aw-detection support to four audit and analysis workflows.
Changes:
- Enables
gh-aw-detectionin workflow frontmatter. - Regenerates lock files with the external threat-detection pipeline.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/typist.md |
Enables detection. |
.github/workflows/typist.lock.yml |
Regenerates compiled workflow. |
.github/workflows/prompt-clustering-analysis.md |
Enables detection. |
.github/workflows/prompt-clustering-analysis.lock.yml |
Regenerates compiled workflow. |
.github/workflows/github-mcp-structural-analysis.md |
Enables detection. |
.github/workflows/github-mcp-structural-analysis.lock.yml |
Regenerates compiled workflow. |
.github/workflows/example-workflow-analyzer.md |
Enables detection. |
.github/workflows/example-workflow-analyzer.lock.yml |
Regenerates compiled workflow. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 8/8 changed files
- Comments generated: 4
- Review effort level: Medium
| - name: Execute threat detection with AWF | ||
| id: detection_agentic_execution | ||
| # Allowed tools (sorted): | ||
| # - Bash | ||
| # - BashOutput | ||
| # - Edit(/tmp/*) | ||
| # - ExitPlanMode | ||
| # - Glob | ||
| # - Grep | ||
| # - KillBash | ||
| # - LS | ||
| # - MultiEdit(/tmp/*) | ||
| # - NotebookRead | ||
| # - Read | ||
| # - Read(/tmp/*) | ||
| # - Task | ||
| # - TodoWrite | ||
| # - Write(/tmp/*) | ||
| timeout-minutes: 20 | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| continue-on-error: true |
| - name: Execute threat detection with AWF | ||
| id: detection_agentic_execution | ||
| # Allowed tools (sorted): | ||
| # - Bash | ||
| # - BashOutput | ||
| # - Edit(/tmp/*) | ||
| # - ExitPlanMode | ||
| # - Glob | ||
| # - Grep | ||
| # - KillBash | ||
| # - LS | ||
| # - MultiEdit(/tmp/*) | ||
| # - NotebookRead | ||
| # - Read | ||
| # - Read(/tmp/*) | ||
| # - Task | ||
| # - TodoWrite | ||
| # - Write(/tmp/*) | ||
| timeout-minutes: 20 | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| continue-on-error: true |
| - name: Execute threat detection with AWF | ||
| id: detection_agentic_execution | ||
| # Allowed tools (sorted): | ||
| # - Bash | ||
| # - BashOutput | ||
| # - Edit(/tmp/*) | ||
| # - ExitPlanMode | ||
| # - Glob | ||
| # - Grep | ||
| # - KillBash | ||
| # - LS | ||
| # - MultiEdit(/tmp/*) | ||
| # - NotebookRead | ||
| # - Read | ||
| # - Read(/tmp/*) | ||
| # - Task | ||
| # - TodoWrite | ||
| # - Write(/tmp/*) | ||
| timeout-minutes: 20 | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| continue-on-error: true |
| - name: Execute threat detection with AWF | ||
| id: detection_agentic_execution | ||
| # Allowed tools (sorted): | ||
| # - Bash | ||
| # - BashOutput | ||
| # - Edit(/tmp/*) | ||
| # - ExitPlanMode | ||
| # - Glob | ||
| # - Grep | ||
| # - KillBash | ||
| # - LS | ||
| # - MultiEdit(/tmp/*) | ||
| # - NotebookRead | ||
| # - Read | ||
| # - Read(/tmp/*) | ||
| # - Task | ||
| # - TodoWrite | ||
| # - Write(/tmp/*) | ||
| timeout-minutes: 20 | ||
| if: always() && steps.detection_guard.outputs.run_detection == 'true' | ||
| continue-on-error: true |
DeepReport detection-analysis flagged 5 audit/analysis workflows running without
gh-aw-detection: true. This adds the flag to bring them to a consistent detection posture.Changes
features: gh-aw-detection: trueto frontmatter of:typist.md(Typist - Go Type Analysis)github-mcp-structural-analysis.md(GitHub MCP Structural Analysis)prompt-clustering-analysis.md(Copilot Agent Prompt Clustering Analysis)example-workflow-analyzer.md(Weekly Workflow Analysis).lock.ymlfilesOut of scope
agentic-token-audit.md(Daily Agentic Workflow AIC Usage Audit) declaressource: githubnext/agentic-ops@...and is upstream-managed — the change must be made in the upstream repo and pulled in viagh aw update.