Route harness fallback diagnostics through safeoutputs CLI

[Copilot]

When agentic runs failed after retry exhaustion, harnesses attempted to append fallback diagnostics directly to outputs.jsonl; in read-only teardown states this hit EROFS, dropping structured failure signals. This change moves fallback emission to the safeoutputs CLI path so missing_tool / report_incomplete diagnostics are still emitted through the supported channel — for all three harnesses (Copilot, Claude, Codex).

• Shared CLI helper module (safeoutputs_cli.cjs)

  • Extracts runSafeOutputsCLI, buildMissingToolAlternatives, emitMissingToolPermissionIssue, and emitInfrastructureIncomplete into a single shared module consumed by all harnesses
  • Error summaries use toolName(key1, key2) format for deterministic, value-free context

• Fallback emission path

  • emitMissingToolPermissionIssue now emits via safeoutputs missing_tool ... in all harnesses
  • emitInfrastructureIncomplete now emits via safeoutputs report_incomplete ...
  • Removes direct dependency on appending fallback payloads to GH_AW_SAFE_OUTPUTS file for these paths
  • claude_harness and codex_harness switch from the old appendFileSync path to the shared CLI path

• CLI emission hardening

  • Validates CLI argument keys before constructing flags
  • Improves error context to include tool name and key summary when CLI invocation fails
  • Preserves existing skip behavior when GH_AW_SAFE_OUTPUTS is unset

• Permission-denied diagnostics payload shaping

  • Keeps denied-command context in alternatives
  • Bounds output to safe length with compact overflow marker (... and N more) instead of naive truncation

• Tests

  • Adds safeoutputs_cli.test.cjs with 15 tests covering the shared module directly
  • Updates fallback emission tests to assert CLI invocation contract
  • Adds coverage for CLI failure logging path and alternatives formatting (empty list, capped length, overflow marker)

// safeoutputs_cli.cjs — shared by copilot_harness, claude_harness, codex_harness
runSafeOutputs("missing_tool", {
  tool: "tool/permission",
  reason: "missing tool/permission issue: numerous permission denied errors detected",
  alternatives: buildMissingToolAlternatives("Verify token scopes...", deniedCommands),
});

runSafeOutputs("report_incomplete", {
  reason: "infrastructure_error",
  details,
});

[pelikhan]

@copilot merge main and recompile

[Copilot]

Pull request overview

Routes Copilot harness fallback diagnostics (missing_tool / report_incomplete) through the safeoutputs CLI instead of appending JSONL directly to GH_AW_SAFE_OUTPUTS, so structured failure signals survive read-only teardown states (EROFS). Denied-command context is folded into the alternatives field with bounded length, and tests are updated to assert the CLI invocation contract.

Changes:

• Adds runSafeOutputsCLI helper (with key validation and richer error context) and buildMissingToolAlternatives (512-char cap with ... and N more overflow marker).
• Switches emitMissingToolPermissionIssue and emitInfrastructureIncomplete from appendFileSync to CLI invocation; preserves skip behavior when GH_AW_SAFE_OUTPUTS is unset.
• Updates harness tests for the new CLI contract and adds coverage for empty/capped/overflow alternatives and CLI failure logging.

Show a summary per file

File	Description
actions/setup/js/copilot_harness.cjs	Adds CLI-based safeoutputs emission and bounded alternatives builder; replaces direct file appends in fallback emitters.
actions/setup/js/copilot_harness.test.cjs	Updates fallback tests to assert CLI calls and adds edge-case + failure-path coverage.
.github/workflows/*.lock.yml (8 files)	Regenerated lock files: checkout-line format flipped to repo X → $GITHUB_WORKSPACE and refreshed heredoc tag hashes; unrelated to harness changes.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 10/10 changed files
• Comments generated: 2

[Copilot]

@copilot merge main and recompile

Done — merged origin/main (resolved heredoc-token conflicts in the auto-generated lock files by accepting main's version) and recompiled. All 236/236 workflow files compiled with 0 errors.

[github-actions]

@copilot refresh the branch and rerun checks, then summarize any remaining blockers.

Generated by 👨‍🍳 PR Sous Chef · gpt54 11.5M · ◷

[pelikhan]

@copilot refactor safeoutputs cli helpers to own file and refactor support for all harnesses

[Copilot]

Done in the latest commit. The CLI helpers are now in safeoutputs_cli.cjs which exports runSafeOutputsCLI, buildMissingToolAlternatives, emitMissingToolPermissionIssue, and emitInfrastructureIncomplete. All three harnesses (copilot, claude, codex) now require from this shared module — claude_harness and codex_harness also switch from the old appendFileSync path to the CLI path. A new safeoutputs_cli.test.cjs covers the shared module directly.

[pelikhan]

@copilot lint js, lint go

https://github.com/github/gh-aw/actions/runs/26689561214/job/78663464271?pr=35934

[Copilot]

@copilot lint js, lint go

https://github.com/github/gh-aw/actions/runs/26689561214/job/78663464271?pr=35934

Fixed in the latest commit:

• JS lint: ran Prettier --write on copilot_harness.cjs, safeoutputs_cli.cjs, safeoutputs_cli.test.cjs
• Go lint: removed the unused skillDownloadLog var and downloadSkillFileFromGitHub/downloadSkillFileViaGHCLI functions from pkg/cli/agent_download.go (dead code introduced via the main merge); fixed the testifylint assert.Len issue in pkg/workflow/claude_tools_helpers_test.go