chore: sync actions from gh-aw@v0.65.7 (#64)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: github-actions[bot]

setup/js/add_reaction_and_edit_comment.cjs

@@ -54,7 +54,6 @@ async function main() {
 
   let reactionEndpoint;
   let commentUpdateEndpoint;
-  let shouldCreateComment = false;
   const eventName = context.eventName;
   const owner = context.repo.owner;
   const repo = context.repo.repo;
@@ -69,7 +68,6 @@ async function main() {
         }
         reactionEndpoint = `/repos/${owner}/${repo}/issues/${issueNumber}/reactions`;
         commentUpdateEndpoint = `/repos/${owner}/${repo}/issues/${issueNumber}/comments`;
-        shouldCreateComment = true;
         break;
       }
 
@@ -87,7 +85,6 @@ async function main() {
         reactionEndpoint = `/repos/${owner}/${repo}/issues/comments/${commentId}/reactions`;
         // Create new comment on the issue itself, not on the comment
         commentUpdateEndpoint = `/repos/${owner}/${repo}/issues/${issueNumberForComment}/comments`;
-        shouldCreateComment = true;
         break;
       }
 
@@ -100,7 +97,6 @@ async function main() {
         // PRs are "issues" for the reactions endpoint
         reactionEndpoint = `/repos/${owner}/${repo}/issues/${prNumber}/reactions`;
         commentUpdateEndpoint = `/repos/${owner}/${repo}/issues/${prNumber}/comments`;
-        shouldCreateComment = true;
         break;
       }
 
@@ -118,7 +114,6 @@ async function main() {
         reactionEndpoint = `/repos/${owner}/${repo}/pulls/comments/${reviewCommentId}/reactions`;
         // Create new comment on the PR itself (using issues endpoint since PRs are issues)
         commentUpdateEndpoint = `/repos/${owner}/${repo}/issues/${prNumberForReviewComment}/comments`;
-        shouldCreateComment = true;
         break;
       }
 
@@ -132,7 +127,6 @@ async function main() {
         const discussion = await getDiscussionId(owner, repo, discussionNumber);
         reactionEndpoint = discussion.id; // Store node ID for GraphQL
         commentUpdateEndpoint = `discussion:${discussionNumber}`; // Special format to indicate discussion
-        shouldCreateComment = true;
         break;
       }
 
@@ -150,7 +144,6 @@ async function main() {
         }
         reactionEndpoint = commentNodeId; // Store node ID for GraphQL
         commentUpdateEndpoint = `discussion_comment:${discussionCommentNumber}:${discussionCommentId}`; // Special format
-        shouldCreateComment = true;
         break;
       }
 
@@ -162,18 +155,15 @@ async function main() {
     core.info(`Reaction API endpoint: ${reactionEndpoint}`);
 
     // For discussions, reactionEndpoint is a node ID (GraphQL), otherwise it's a REST API path
-    const isDiscussionEvent = eventName === "discussion" || eventName === "discussion_comment";
-    if (isDiscussionEvent) {
+    if (eventName === "discussion" || eventName === "discussion_comment") {
       await addDiscussionReaction(reactionEndpoint, reaction);
     } else {
       await addReaction(reactionEndpoint, reaction);
     }
 
-    if (shouldCreateComment && commentUpdateEndpoint) {
+    if (commentUpdateEndpoint) {
       core.info(`Comment endpoint: ${commentUpdateEndpoint}`);
       await addCommentWithWorkflowLink(commentUpdateEndpoint, runUrl, eventName);
-    } else {
-      core.info(`Skipping comment for event type: ${eventName}`);
     }
   } catch (error) {
     const errorMessage = getErrorMessage(error);
@@ -309,29 +299,19 @@ async function addCommentWithWorkflowLink(endpoint, runUrl, eventName) {
       eventType: eventTypeDescription,
     });
 
-    // Sanitize before adding workflow markers to preserve them
-    let commentBody = sanitizeContent(workflowLinkText);
-
-    // Add lock notice if lock-for-agent is enabled for issues or issue_comment
     const lockForAgent = process.env.GH_AW_LOCK_FOR_AGENT === "true";
-    if (lockForAgent && (eventName === "issues" || eventName === "issue_comment")) {
-      commentBody += "\n\n🔒 This issue has been locked while the workflow is running to prevent concurrent modifications.";
-    }
-
     const workflowId = process.env.GITHUB_WORKFLOW || "";
     const trackerId = process.env.GH_AW_TRACKER_ID || "";
 
-    if (workflowId) {
-      commentBody += `\n\n${generateWorkflowIdMarker(workflowId)}`;
-    }
-
-    // Add tracker-id marker if available (for backwards compatibility)
-    if (trackerId) {
-      commentBody += `\n\n<!-- gh-aw-tracker-id: ${trackerId} -->`;
-    }
-
-    // Add comment type marker to identify this as a reaction comment
-    commentBody += `\n\n<!-- gh-aw-comment-type: reaction -->`;
+    // Build comment body from parts, sanitizing first to preserve workflow markers
+    const commentParts = [
+      sanitizeContent(workflowLinkText),
+      ...(lockForAgent && (eventName === "issues" || eventName === "issue_comment") ? ["🔒 This issue has been locked while the workflow is running to prevent concurrent modifications."] : []),
+      ...(workflowId ? [generateWorkflowIdMarker(workflowId)] : []),
+      ...(trackerId ? [`<!-- gh-aw-tracker-id: ${trackerId} -->`] : []),
+      "<!-- gh-aw-comment-type: reaction -->",
+    ];
+    const commentBody = commentParts.join("\n\n");
 
     if (eventName === "discussion") {
       // Parse discussion number from special format: "discussion:NUMBER"

setup/js/check_workflow_timestamp_api.cjs

@@ -2,10 +2,12 @@
 /// <reference types="@actions/github-script" />
 
 /**
- * Check workflow lock file integrity using frontmatter hash validation.
+ * Check for a stale workflow lock file using frontmatter hash comparison.
  * This script verifies that the stored frontmatter hash in the lock file
- * matches the recomputed hash from the source .md file, regardless of
- * commit timestamps.
+ * matches the recomputed hash from the source .md file, detecting cases where
+ * the workflow was edited without recompiling the lock file. It does not
+ * provide tamper protection — use code review to guard against intentional
+ * modifications.
  *
  * Supports both same-repo and cross-repo reusable workflow scenarios:
  * - Primary: GitHub API (uses GITHUB_WORKFLOW_REF to identify source repo)
@@ -33,17 +35,23 @@ async function main() {
   const workflowMdPath = `.github/workflows/${workflowBasename}.md`;
   const lockFilePath = `.github/workflows/${workflowFile}`;
 
-  core.info(`Checking workflow lock file integrity using frontmatter hash:`);
+  core.info(`Checking for stale lock file using frontmatter hash:`);
   core.info(`  Source: ${workflowMdPath}`);
   core.info(`  Lock file: ${lockFilePath}`);
 
-  // Determine workflow source repository from GITHUB_WORKFLOW_REF for cross-repo support.
-  // GITHUB_WORKFLOW_REF format: owner/repo/.github/workflows/file.yml@ref
-  // This env var always reflects the repo where the workflow file is defined,
-  // not the repo where the triggering event occurred (context.repo).
-  // When running cross-repo via org rulesets, context.repo points to the target
-  // repository, not the repository that defines the workflow files.
-  const workflowEnvRef = process.env.GITHUB_WORKFLOW_REF || "";
+  // Determine workflow source repository from the workflow ref for cross-repo support.
+  //
+  // For cross-repo workflow_call invocations (reusable workflows called from another repo),
+  // the GITHUB_WORKFLOW_REF env var always points to the TOP-LEVEL CALLER's workflow, not
+  // the reusable workflow being executed. This causes the script to look for lock files in
+  // the wrong repository.
+  //
+  // The GitHub Actions expression ${{ github.workflow_ref }} is injected as GH_AW_CONTEXT_WORKFLOW_REF
+  // by the compiler and correctly identifies the CURRENT reusable workflow's ref even in
+  // cross-repo workflow_call scenarios. We prefer it over GITHUB_WORKFLOW_REF when available.
+  //
+  // Ref: https://github.com/github/gh-aw/issues/23935
+  const workflowEnvRef = process.env.GH_AW_CONTEXT_WORKFLOW_REF || process.env.GITHUB_WORKFLOW_REF || "";
   const currentRepo = process.env.GITHUB_REPOSITORY || `${context.repo.owner}/${context.repo.repo}`;
 
   // Parse owner, repo, and optional ref from GITHUB_WORKFLOW_REF as a single unit so that
@@ -70,7 +78,11 @@ async function main() {
     ref = undefined;
   }
 
-  core.info(`GITHUB_WORKFLOW_REF: ${workflowEnvRef || "(not set)"}`);
+  const contextWorkflowRef = process.env.GH_AW_CONTEXT_WORKFLOW_REF;
+  core.info(`GITHUB_WORKFLOW_REF: ${process.env.GITHUB_WORKFLOW_REF || "(not set)"}`);
+  if (contextWorkflowRef) {
+    core.info(`GH_AW_CONTEXT_WORKFLOW_REF: ${contextWorkflowRef} (used for source repo resolution)`);
+  }
   core.info(`GITHUB_REPOSITORY: ${currentRepo}`);
   core.info(`Resolved source repo: ${owner}/${repo} @ ${ref || "(default branch)"}`);
 
@@ -193,11 +205,11 @@ async function main() {
   if (!hashComparison) {
     // Could not compute hash - be conservative and fail
     core.warning("Could not compare frontmatter hashes - assuming lock file is outdated");
-    const warningMessage = `Lock file '${lockFilePath}' integrity check failed! Could not verify frontmatter hash for '${workflowMdPath}'. Run 'gh aw compile' to regenerate the lock file.`;
+    const warningMessage = `Lock file '${lockFilePath}' is outdated or unverifiable! Could not verify frontmatter hash for '${workflowMdPath}'. Run 'gh aw compile' to regenerate the lock file.`;
 
     let summary = core.summary
       .addRaw("### ⚠️ Workflow Lock File Warning\n\n")
-      .addRaw("**WARNING**: Lock file integrity check failed. Could not verify frontmatter hash.\n\n")
+      .addRaw("**WARNING**: Could not verify whether lock file is up to date. Frontmatter hash check failed.\n\n")
       .addRaw("**Files:**\n")
       .addRaw(`- Source: \`${workflowMdPath}\`\n`)
       .addRaw(`- Lock: \`${lockFilePath}\`\n\n`)

setup/js/messages_footer.cjs

@@ -205,6 +205,10 @@ function getFooterAgentFailureIssueMessage(ctx) {
 
   // Default footer template with link to workflow run
   let defaultFooter = "> Generated from [{workflow_name}]({agentic_workflow_url})";
+  // Append effective tokens with ● symbol when available (compact format, no "ET" label)
+  if (effectiveTokens) {
+    defaultFooter += `{effective_tokens_suffix}`;
+  }
   // Append history link when available
   if (ctx.historyUrl) {
     defaultFooter += " · [◷]({history_url})";
@@ -239,6 +243,10 @@ function getFooterAgentFailureCommentMessage(ctx) {
 
   // Default footer template with link to workflow run
   let defaultFooter = "> Generated from [{workflow_name}]({agentic_workflow_url})";
+  // Append effective tokens with ● symbol when available (compact format, no "ET" label)
+  if (effectiveTokens) {
+    defaultFooter += `{effective_tokens_suffix}`;
+  }
   // Append history link when available
   if (ctx.historyUrl) {
     defaultFooter += " · [◷]({history_url})";

setup/js/pr_helpers.cjs

@@ -3,33 +3,33 @@
 /**
  * Detect if a pull request is from a fork repository.
  *
- * Uses multiple signals for robust detection:
- * 1. Check if head.repo.fork is explicitly true (GitHub's fork flag)
- * 2. Compare repository full names if both repos exist
- * 3. Handle deleted fork case (head.repo is null)
+ * A "fork PR" means the head and base are in *different* repositories
+ * (cross-repo PR). Detection uses two signals:
+ * 1. Handle deleted fork case (head.repo is null)
+ * 2. Compare repository full names — different names mean cross-repo
+ *
+ * NOTE: We intentionally do NOT check head.repo.fork. That flag indicates
+ * whether the repository *itself* is a fork of another repo, not whether
+ * the PR is cross-repo. A same-repo PR in a forked repository (common in
+ * OSS) would have fork=true but is NOT a cross-repo fork PR. Using that
+ * flag caused false positives that forced `gh pr checkout` instead of fast
+ * `git fetch`, which then failed due to stale GH_HOST values. See #24208.
  *
  * @param {object} pullRequest - The pull request object from GitHub context
  * @returns {{isFork: boolean, reason: string}} Fork detection result with reason
  */
 function detectForkPR(pullRequest) {
-  let isFork = false;
-  let reason = "same repository";
-
   if (!pullRequest.head?.repo) {
     // Head repo is null - likely a deleted fork
-    isFork = true;
-    reason = "head repository deleted (was likely a fork)";
-  } else if (pullRequest.head.repo.fork === true) {
-    // GitHub's explicit fork flag
-    isFork = true;
-    reason = "head.repo.fork flag is true";
-  } else if (pullRequest.head.repo.full_name !== pullRequest.base?.repo?.full_name) {
-    // Different repository names
-    isFork = true;
-    reason = "different repository names";
+    return { isFork: true, reason: "head repository deleted (was likely a fork)" };
+  }
+
+  if (pullRequest.head.repo.full_name !== pullRequest.base?.repo?.full_name) {
+    // Different repository names — this is a cross-repo (fork) PR
+    return { isFork: true, reason: "different repository names" };
   }
 
-  return { isFork, reason };
+  return { isFork: false, reason: "same repository" };
 }
 
 /**

setup/md/agent_failure_issue.md

@@ -35,8 +35,13 @@ Debug this workflow failure using your favorite Agent CLI and the `agentic-workf
 </details>
 
 > [!TIP]
+> <details>
+> <summary><b>Stop reporting this workflow as a failure</b></summary>
+>
 > To stop a workflow from creating failure issues, set `report-failure-as-issue: false` in its frontmatter:
 > ```yaml
 > safe-outputs:
 >   report-failure-as-issue: false
 > ```
+>
+> </details>

setup/sh/configure_gh_for_ghe.sh

@@ -62,9 +62,27 @@ main() {
   local github_host
   github_host=$(detect_github_host)
 
-  # If the host is github.com, no configuration is needed
+  # If the host is github.com, no GHE configuration is needed.
+  # However, we must clear any stale GH_HOST value to prevent gh CLI
+  # from targeting the wrong host (e.g., a leftover localhost:18443
+  # from a prior DIFC proxy run). See #24208.
   if [ "$github_host" = "github.com" ]; then
+    if [ -n "${GH_HOST:-}" ] && [ "${GH_HOST}" != "github.com" ]; then
+      echo "Clearing stale GH_HOST=${GH_HOST} (expected github.com)"
+      unset GH_HOST
+      if [ -n "${GITHUB_ENV:-}" ]; then
+        echo "GH_HOST=github.com" >> "${GITHUB_ENV}"
+      fi
+    fi
     echo "Using public GitHub (github.com) - no additional gh configuration needed"
+    # Clear any stale GH_HOST to prevent gh CLI mismatches
+    if [ -n "${GH_HOST:-}" ] && [ "${GH_HOST}" != "github.com" ]; then
+      echo "Clearing stale GH_HOST" >&2
+      unset GH_HOST
+      if [ -n "${GITHUB_ENV:-}" ]; then
+        echo "GH_HOST=" >> "${GITHUB_ENV}"
+      fi
+    fi
     return 0
   fi