From 611985bb6c1d1360f8f90ba56589d98a814a375f Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Sat, 23 May 2026 09:16:58 +0000
Subject: [PATCH] [instructions] Sync safe-outputs.md with v0.74.8

Add documentation for two safe-output operations that exist in code
(pkg/workflow/comment_memory.go, pkg/workflow/create_check_run.go) and
in the workflow schema but were missing from .github/aw/safe-outputs.md:

- comment-memory: managed memory comment persistence on issues/PRs
- create-check-run: surface agent analysis results as GitHub Check Runs

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/aw/safe-outputs.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/.github/aw/safe-outputs.md b/.github/aw/safe-outputs.md
index 06c8a62a3b6..a11f3ff90ca 100644
--- a/.github/aw/safe-outputs.md
+++ b/.github/aw/safe-outputs.md
@@ -136,6 +136,21 @@ Safe outputs are the primary mechanism for write operations in agentic workflows
   {"type": "add_comment", "body": "Thread reply text", "reply_to_id": 12345}
   ```
 
+- `comment-memory:` - Persist and update a managed memory comment on the triggering issue/PR
+
+  ```yaml
+  safe-outputs:
+    comment-memory:
+      max: 1                          # Optional: max comment_memory updates (default: 1, range: 1-100)
+      target: "triggering"            # Optional: "triggering" (default), "*", or explicit issue/PR number
+      memory-id: "default"            # Optional: default memory identifier when items omit memory_id (default: "default")
+      footer: true                    # Optional: include AI footer in the managed comment (default: true)
+      target-repo: "owner/repo"       # Optional: cross-repository
+      allowed-repos: [owner/other]    # Optional: additional repos agent can target
+  ```
+
+  Boolean shorthand: `comment-memory: true` enables defaults; `false` or `null` disables. The handler materializes memory content to files before agent execution and synchronizes edits back to a single managed comment on the issue/PR after execution, providing durable cross-run state without external storage.
+
 - `create-pull-request:` - Safe pull request creation with git patches
 
   ```yaml
@@ -647,6 +662,20 @@ Safe outputs are the primary mechanism for write operations in agentic workflows
   ```
 
   Provides automated fixes for code scanning alerts.
+- `create-check-run:` - Create GitHub Check Runs to surface agent analysis results in the PR Checks UI
+
+  ```yaml
+  safe-outputs:
+    create-check-run:
+      name: "Security Analysis"       # Optional: check run name (defaults to workflow name)
+      max: 1                          # Optional: max check runs per workflow run (default: 1)
+      output:                         # Optional: static fallback values used when the agent omits the field
+        title: "Pending analysis"     # Fallback title (max 256 chars)
+        summary: "Awaiting agent output"  # Fallback summary (max 65535 chars)
+  ```
+
+  Requires `checks: write` permission, which is added automatically. Agents call `create_check_run` with `conclusion` (e.g., `success`, `failure`, `neutral`), `title`, `summary`, and optional `annotations`. Useful for reporting structured analysis results (security findings, code quality, test outcomes) directly on commits and pull requests.
+
 - `create-agent-session:` - Create GitHub Copilot coding agent sessions
 
   ```yaml