Fix runtime-import file path resolution and checkout#13931
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
The runtime-import macro now uses the full relative path from workspace root (.github/workflows/file.md) instead of just the path relative to .github folder (workflows/file.md). This makes the path explicit and matches the actual file location in the repository. Changes: - Updated compiler_yaml.go to include .github/ in the runtime-import path - Recompiled all 145 workflows with the new path format - All tests pass with the new format The JavaScript runtime_import.cjs already handles both formats correctly by stripping the .github/ prefix before resolving the path. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed issue where workflows with runtime-imports but no explicit contents:read permission in frontmatter were not getting repository checkout, causing runtime-import to fail at execution. Root cause: shouldAddCheckoutStep() only checked frontmatter permissions, not accounting for contents:read being added automatically in dev mode for local actions. Fix: Modified shouldAddCheckoutStep() to check if contents:read will be added in dev/script mode before deciding to skip checkout. This ensures all workflows that use runtime-import (which is all workflows in dev mode) get the necessary repository checkout. Changes: - Updated shouldAddCheckoutStep() in compiler_jobs.go to check willAddContentsRead - Updated test expectations to reflect new behavior - All workflows now properly get checkout when using runtime-import - Verified issue-triage-agent workflow now has "Checkout repository" step Testing: - All runtime-import tests pass - Checkout optimization tests pass with updated expectations - Fixed test for dev mode behavior in engine_agent_import_test.go Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
❌ Changeset Generator failed. Please review the logs for details. |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
Removed unused code: - Removed containsRuntimeImports() function - no longer needed after checkout logic change - Removed runtimeImportMacroRe regex - was only used by containsRuntimeImports() - Removed unused regexp import All lint checks pass and workflow-related tests pass. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent Container Tool Check
Result: 10/12 tools fully available, 2/12 have aliasing issues Status: PARTIAL - Core development tools (bash, sh, git, jq, yq, curl, gh, node, python3, go) are working correctly. Java and .NET binaries exist on the system but are incorrectly aliased/symlinked to bash, making them unusable.
|
|
Smoke Test Results - Run 21716142869 PR Titles:
Test Results: Overall Status: ✅ PASS cc @pelikhan
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
There was a problem hiding this comment.
Pull request overview
This PR fixes runtime-import file path resolution and ensures proper repository checkout for workflows using runtime-import feature in dev mode. The main issues addressed are: (1) ambiguous file paths in runtime-import macros, and (2) missing repository checkout for workflows without explicit contents: read permission when local actions are used in dev mode.
Changes:
- Changed runtime-import path format from
workflows/file.mdto.github/workflows/file.mdfor clarity - Updated
shouldAddCheckoutStep()logic to account for automaticcontents: readaddition in dev mode - Modified tests to reflect the new behavior where full checkout is added when
contents: readwill be added automatically
Reviewed changes
Copilot reviewed 149 out of 149 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/compiler_yaml.go | Updated path resolution to use .github/workflows/ prefix instead of workflows/ |
| pkg/workflow/compiler_jobs.go | Modified checkout logic to check if contents: read will be added automatically in dev mode; removed containsRuntimeImports() function |
| pkg/workflow/github_folder_checkout_optimization_test.go | Updated test expectations to reflect that full checkout is now added in dev mode for runtime-import |
| pkg/workflow/engine_agent_import_test.go | Added action mode configuration to test to prevent automatic contents: read addition |
| .github/workflows/*.lock.yml | All workflow lock files updated with new path format (.github/workflows/) and added repository checkout steps where needed |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -480,22 +446,23 @@ func (c *Compiler) shouldAddCheckoutStep(data *WorkflowData) bool { | |||
| return true // Custom agent file requires checkout to access the file | |||
| } | |||
|
|
|||
| // Check condition 3: If permissions don't grant contents access, don't add checkout | |||
| // This must be checked before runtime-imports check because checkout requires permissions | |||
| // Check condition 3: Check if we have or will have contents: read permission | |||
| // In dev mode, contents: read is added automatically for local actions checkout | |||
| // So we need to account for that when deciding whether to add repository checkout | |||
| permParser := NewPermissionsParser(data.Permissions) | |||
| if !permParser.HasContentsReadAccess() { | |||
| hasContentsRead := permParser.HasContentsReadAccess() | |||
|
|
|||
| // In dev mode, if we'll add contents: read for actions folder, we should also add repository checkout | |||
| // because all workflows use runtime-import for the main workflow file | |||
| willAddContentsRead := (c.actionMode.IsDev() || c.actionMode.IsScript()) && len(c.generateCheckoutActionsFolder(data)) > 0 | |||
|
|
|||
| if !hasContentsRead && !willAddContentsRead { | |||
| log.Print("Skipping checkout step: no contents read access in permissions") | |||
| return false // No contents read access, so checkout is not needed | |||
| } | |||
|
|
|||
| // Check condition 4: If markdown contains runtime-import macros, checkout is required | |||
| // Runtime imports need to read files from the .github folder at runtime | |||
| // This check only matters if permissions allow contents access (checked above) | |||
| if containsRuntimeImports(data.MarkdownContent) { | |||
| log.Print("Adding checkout step: markdown contains runtime-import macros") | |||
| return true // Runtime imports require checkout to access repository files | |||
| } | |||
|
|
|||
| // If we get here, permissions allow contents access and custom steps (if any) don't contain checkout | |||
| return true // Add checkout because it's needed and not already present | |||
| // If we have or will have contents: read, add checkout | |||
| // This is needed because all workflows use runtime-import for the main workflow file | |||
| log.Print("Adding checkout step: contents read access is available or will be added") | |||
| return true | |||
| } | |||
There was a problem hiding this comment.
The function containsRuntimeImports has been removed from compiler_jobs.go, but there's still a test file runtime_import_checkout_test.go that references and tests this function. This test file is marked with //go:build integration tag, so it won't run in standard test suites, but it will fail when integration tests are run. The function should either be kept (perhaps as a private helper if still needed for tests) or the test file should be updated to reflect the new logic where checkout decisions are based on whether contents: read permission will be available rather than scanning for runtime-import macros.
| // Check condition 3: Check if we have or will have contents: read permission | ||
| // In dev mode, contents: read is added automatically for local actions checkout | ||
| // So we need to account for that when deciding whether to add repository checkout | ||
| permParser := NewPermissionsParser(data.Permissions) | ||
| if !permParser.HasContentsReadAccess() { | ||
| hasContentsRead := permParser.HasContentsReadAccess() | ||
|
|
||
| // In dev mode, if we'll add contents: read for actions folder, we should also add repository checkout | ||
| // because all workflows use runtime-import for the main workflow file | ||
| willAddContentsRead := (c.actionMode.IsDev() || c.actionMode.IsScript()) && len(c.generateCheckoutActionsFolder(data)) > 0 | ||
|
|
||
| if !hasContentsRead && !willAddContentsRead { | ||
| log.Print("Skipping checkout step: no contents read access in permissions") | ||
| return false // No contents read access, so checkout is not needed | ||
| } | ||
|
|
||
| // Check condition 4: If markdown contains runtime-import macros, checkout is required | ||
| // Runtime imports need to read files from the .github folder at runtime | ||
| // This check only matters if permissions allow contents access (checked above) | ||
| if containsRuntimeImports(data.MarkdownContent) { | ||
| log.Print("Adding checkout step: markdown contains runtime-import macros") | ||
| return true // Runtime imports require checkout to access repository files | ||
| } | ||
|
|
||
| // If we get here, permissions allow contents access and custom steps (if any) don't contain checkout | ||
| return true // Add checkout because it's needed and not already present | ||
| // If we have or will have contents: read, add checkout | ||
| // This is needed because all workflows use runtime-import for the main workflow file | ||
| log.Print("Adding checkout step: contents read access is available or will be added") | ||
| return true | ||
| } |
There was a problem hiding this comment.
The new checkout logic doesn't fully handle the action-tag feature scenario. When action-tag is specified (using remote actions), the following happens:
generateCheckoutActionsFolder()returns nil → no actions checkoutwillAddContentsReadbecomes false (line 457)- Without explicit
contents: readpermission, this function returns false → no repository checkout - Additionally,
generateCheckoutGitHubFolder()(in compiler_yaml_helpers.go:161-167) also skips checkout whenaction-tagis present - But the compiler ALWAYS adds runtime-import for the main workflow (compiler_yaml.go:309)
This means workflows using action-tag without explicit contents: read will fail at runtime because the runtime-import macro tries to read .github/workflows/file.md but the repository isn't checked out.
The same issue affects release mode without explicit contents: read.
Potential solutions:
- Don't skip
.githubcheckout ingenerateCheckoutGitHubFolder()whenaction-tagis present (runtime-import always needs it) - Add
contents: readautomatically when runtime-import is used (similar to how it's done for actions folder) - Make runtime-import conditional on whether checkout will happen
Runtime-import file paths were ambiguous (
workflows/file.md) and workflows without explicitcontents: readpermission failed to checkout.githubfolder, breaking runtime-import execution.Changes
Path format
.github/workflows/file.mdinstead ofworkflows/file.mdCheckout logic
shouldAddCheckoutStep()to check ifcontents: readwill be added automatically in dev modeExample:
issue-triage-agent.mdwithpermissions: {issues: read}now gets:Impact
All workflows using runtime-import (which is all workflows in dev mode, since the compiler adds
{{#runtime-import .github/workflows/file.md}}for the main workflow) now get proper repository checkout regardless of frontmatter permissions.Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.