Commit ca991a2
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
fix: skip detection job when engine disabled; include patches in agent artifact (#22924)
* fix: skip detection job when engine is disabled with no custom steps
When threat-detection is configured with engine: false and no custom
steps, the detection job has nothing to run — the engine step is
replaced with a comment, leaving detection.log empty. The parser
correctly fails with 'No THREAT_DETECTION_RESULT found'.
Fix: skip the entire detection job (and its dependencies in safe_outputs,
conclusion, cache, and memory jobs) when EngineDisabled && len(Steps)==0.
Recompile changeset.md which uses engine: false.
* fix: include aw-*.patch in agent artifact when threat detection is enabled
When push-to-pull-request-branch is staged, usesPatchesAndCheckouts()
returns false so patches weren't included in the agent artifact upload.
But the detection job still needs them for security analysis (it checks
HAS_PATCH and expects patch files in the downloaded artifact).
Include aw-*.patch whenever threat detection is enabled, not just when
the safe-output handler needs checkout.
Recompile smoke-claude and smoke-codex to pick up the fix.
* Add changeset [skip-ci]
* refactor: extract HasRunnableDetection() to fix staticcheck QF1001
Extract the negated condition into a method on ThreatDetectionConfig
to eliminate De Morgan's law lint violations (QF1001) and improve
readability across 8 call sites.
* refactor: use IsDetectionJobEnabled() helper everywhere; add patch artifact test
- Extract IsDetectionJobEnabled(so *SafeOutputsConfig) as the single
source of truth for whether the detection job should exist.
- Replace all 8 inline checks across 7 files with the helper.
- Add TestPatchIncludedInArtifactWhenThreatDetectionEnabled to verify
aw-*.patch is included in the agent artifact when push-to-pr-branch
is staged (usesPatchesAndCheckouts=false) but detection is enabled.
* plan: add integration tests for threat detection scenarios
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3f8f847c-6b8d-42f8-a3c1-55edfa21c472
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>1 parent 425f398 commit ca991a2
136 files changed
Lines changed: 237 additions & 121 deletions
File tree
- .changeset
- .github/workflows
- pkg/workflow
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments