Conversation
Add threat-detection: { enabled: false } under safe-outputs in every
workflow .md file, then recompile all lock files. This removes the
detection job from all compiled workflows.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR disables the “threat-detection” feature across the repository’s agentic workflows by adding safe-outputs.threat-detection.enabled: false to each workflow source, then recompiling the generated .lock.yml workflows to remove the corresponding detection job and reduce CI runtime/billable minutes.
Changes:
- Add
safe-outputs: threat-detection: enabled: falseto workflow source.mdfiles. - Recompile workflow
.lock.ymlfiles to remove thedetectionjob and update generated workflow templates/tooling versions. - Update pinned GitHub Action SHAs in
.github/aw/actions-lock.json.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/test-improver.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/test-coverage-improver.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/smoke-safeoutputs-reviews.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/smoke-safeoutputs-prs.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/smoke-safeoutputs-labels.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/smoke-safeoutputs-issues.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/smoke-safeoutputs-discussions.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/smoke-proxy-github-script.md | Disables threat-detection; frontmatter indentation around the new block needs alignment. |
| .github/workflows/smoke-copilot.md | Disables threat-detection; frontmatter indentation around the new block needs alignment. |
| .github/workflows/smoke-allowonly.md | Disables threat-detection; frontmatter indentation around the new block needs alignment. |
| .github/workflows/semantic-function-refactor.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/semantic-function-refactor.lock.yml | Recompiled output removing detection job; template/tooling updates applied. |
| .github/workflows/rust-guard-improver.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/repo-assist.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/release.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/plan.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/nightly-workflow-compiler.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/nightly-workflow-compiler.lock.yml | Recompiled output removing detection job; template/tooling updates applied. |
| .github/workflows/nightly-schema-updater.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/nightly-schema-updater.lock.yml | Recompiled output removing detection job; template/tooling updates applied. |
| .github/workflows/nightly-docs-reconciler.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/nightly-docs-reconciler.lock.yml | Recompiled output removing detection job; template/tooling updates applied. |
| .github/workflows/mcp-gateway-log-analyzer.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/mcp-gateway-log-analyzer.lock.yml | Recompiled output removing detection job; template/tooling updates applied. |
| .github/workflows/large-payload-tester.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/issue-monster.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/integrity-filtering-audit.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/integrity-filtering-audit.lock.yml | Recompiled output removing detection job; template/tooling updates applied. |
| .github/workflows/guard-status-tracker.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/gpl-dependency-checker.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/go-logger.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/go-fan.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/github-mcp-guard-coverage-checker.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/ghcr-download-tracker.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/gateway-issue-dispatcher.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/gateway-issue-dispatcher.lock.yml | Recompiled output removing detection job; template/tooling updates applied. |
| .github/workflows/duplicate-code-detector.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/daily-compliance-checker.md | Disables threat-detection via safe-outputs configuration. |
| .github/workflows/agentics-maintenance.yml | Regenerated maintenance workflow with updated action pins/tooling. |
| .github/aw/actions-lock.json | Updates pinned action SHAs/versions (notably github-script v9), but currently inconsistent with compiled lock files. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 50/64 changed files
- Comments generated: 4
| "actions/github-script@v9": { | ||
| "repo": "actions/github-script", | ||
| "version": "v9", | ||
| "sha": "373c709c69115d41ff229c7e5df9f8788daa9553" |
There was a problem hiding this comment.
actions/github-script@v9 is pinned to SHA 373c709c... here, but the compiled workflow lock files in this PR reference actions/github-script@3a2844b7... (e.g. .github/workflows/semantic-function-refactor.lock.yml manifest line 2). This mismatch can break any verification/upgrade tooling that expects lock files to match .github/aw/actions-lock.json. Align the SHA in the actions lock file with the SHA used by the compiled workflows (or recompile workflows after updating the actions lock) so there is a single source of truth.
| "sha": "373c709c69115d41ff229c7e5df9f8788daa9553" | |
| "sha": "<REPLACE_WITH_THE_EXACT_FULL_40_CHAR_SHA_FROM_THE_COMPILED_WORKFLOW_LOCK_FILES>" |
| safe-outputs: | ||
| threat-detection: | ||
| enabled: false |
There was a problem hiding this comment.
Indentation under safe-outputs is inconsistent: enabled: false is indented deeper than the other option keys in this section (e.g. hide-older-comments). While YAML will usually still parse, this makes the frontmatter harder to read and can be brittle if any tooling assumes consistent indentation. Please align enabled: false indentation with the other nested keys under safe-outputs.
| safe-outputs: | ||
| threat-detection: | ||
| enabled: false |
There was a problem hiding this comment.
Indentation under safe-outputs is inconsistent: enabled: false is indented more than the other nested keys under safe-outputs (e.g. hide-older-comments). Please align indentation for the new threat-detection block with the rest of the section to keep frontmatter formatting consistent.
| safe-outputs: | ||
| threat-detection: | ||
| enabled: false |
There was a problem hiding this comment.
Indentation under safe-outputs is inconsistent: enabled: false is indented deeper than the other nested keys under safe-outputs (e.g. hide-older-comments). Please align indentation for the new threat-detection block with the rest of the section.
Adds
threat-detection: { enabled: false }undersafe-outputs:in all 31 workflow.mdfiles and recompiles lock files.This removes the
detectionjob from all compiled workflows, reducing per-run overhead and billable minutes.Changes:
.mdfiles: addedthreat-detection: enabled: false.lock.ymlfiles: recompiled (net ~5400 lines removed from detection jobs)