chore: sync actions from gh-aw@v0.67.1 (#68)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: github-actions[bot]

setup/action.yml

@@ -11,7 +11,7 @@ inputs:
     required: false
     default: 'false'
   job-name:
-    description: 'Name of the job being set up. When OTEL_EXPORTER_OTLP_ENDPOINT is configured, a gh-aw.job.setup span is pushed to the OTLP endpoint.'
+    description: 'Name of the job being set up. When OTEL_EXPORTER_OTLP_ENDPOINT is configured, a gh-aw.<job-name>.setup span is pushed to the OTLP endpoint.'
     required: false
     default: ''
   trace-id:
@@ -23,7 +23,7 @@ outputs:
   files_copied:
     description: 'Number of files copied'
   trace-id:
-    description: 'The OTLP trace ID used for the gh-aw.job.setup span. Pass this to subsequent job setup steps via the trace-id input to correlate all job spans under a single trace.'
+    description: 'The OTLP trace ID used for the gh-aw.<job-name>.setup span. Pass this to subsequent job setup steps via the trace-id input to correlate all job spans under a single trace.'
 
 runs:
   using: 'node24'

setup/index.js

@@ -23,11 +23,19 @@ const inputTraceId =
   process.env["INPUT_TRACE-ID"] ||
   "";
 
+// Normalize job-name input: handle both INPUT_JOB_NAME (underscore, standard)
+// and INPUT_JOB-NAME (hyphen, used by some runner versions).
+const inputJobName =
+  process.env["INPUT_JOB_NAME"] ||
+  process.env["INPUT_JOB-NAME"] ||
+  "";
+
 const result = spawnSync(path.join(__dirname, "setup.sh"), [], {
   stdio: "inherit",
   env: Object.assign({}, process.env, {
     INPUT_SAFE_OUTPUT_CUSTOM_TOKENS: safeOutputCustomTokens,
     INPUT_TRACE_ID: inputTraceId,
+    INPUT_JOB_NAME: inputJobName,
     // Tell setup.sh to skip the OTLP span: in action mode index.js sends it
     // after setup.sh returns so that the startMs captured here is used.
     GH_AW_SKIP_SETUP_OTLP: "1",
@@ -43,7 +51,7 @@ if (result.status !== 0) {
   process.exit(result.status ?? 1);
 }
 
-// Send a gh-aw.job.setup span to the OTLP endpoint when configured.
+// Send a gh-aw.<jobName>.setup span to the OTLP endpoint when configured.
 // Delegates to action_setup_otlp.cjs so that script mode (setup.sh) and
 // dev/release mode share the same implementation.
 // Explicitly set INPUT_TRACE_ID (normalized above) so action_setup_otlp.cjs
@@ -54,6 +62,7 @@ if (result.status !== 0) {
   try {
     process.env.SETUP_START_MS = String(setupStartMs);
     process.env.INPUT_TRACE_ID = inputTraceId;
+    process.env.INPUT_JOB_NAME = inputJobName;
     const { run } = require(path.join(__dirname, "js", "action_setup_otlp.cjs"));
     await run();
   } catch {

setup/js/action_conclusion_otlp.cjs

@@ -4,8 +4,8 @@
 /**
  * action_conclusion_otlp.cjs
  *
- * Sends a gh-aw.job.conclusion OTLP span (or a span named after the current
- * job).  Used by both:
+ * Sends a `gh-aw.<jobName>.conclusion` OTLP span (or `gh-aw.job.conclusion`
+ * when no job name is configured).  Used by both:
  *
  *   - actions/setup/post.js   (dev/release/action mode)
  *   - actions/setup/clean.sh  (script mode)
@@ -14,14 +14,22 @@
  *
  * Environment variables read:
  *   INPUT_JOB_NAME – job name from the `job-name` action input; when set the
- *                    span is named "gh-aw.job.<name>", otherwise
+ *                    span is named "gh-aw.<name>.conclusion", otherwise
  *                    "gh-aw.job.conclusion".
+ *   GH_AW_AGENT_CONCLUSION        – agent job result passed from the agent job
+ *                                   ("success", "failure", "timed_out", etc.);
+ *                                   "failure" and "timed_out" set the span
+ *                                   status to STATUS_CODE_ERROR.
+ *   GITHUB_AW_OTEL_JOB_START_MS   – epoch ms written by action_setup_otlp.cjs when
+ *                                   setup finished; used as the span startMs so the
+ *                                   conclusion span duration covers the actual job
+ *                                   execution window rather than this step's overhead.
  *   GITHUB_AW_OTEL_TRACE_ID       – parent trace ID (set by action_setup_otlp.cjs)
  *   GITHUB_AW_OTEL_PARENT_SPAN_ID – parent span ID (set by action_setup_otlp.cjs)
  *   OTEL_EXPORTER_OTLP_ENDPOINT   – OTLP endpoint (no-op when not set)
  */
 
-const path = require("path");
+const sendOtlpSpan = require("./send_otlp_span.cjs");
 
 /**
  * Send the OTLP job-conclusion span.  Non-fatal: all errors are silently
@@ -35,11 +43,18 @@ async function run() {
     return;
   }
 
-  const spanName = process.env.INPUT_JOB_NAME ? `gh-aw.job.${process.env.INPUT_JOB_NAME}` : "gh-aw.job.conclusion";
+  // Read the job-start timestamp written by action_setup_otlp so the conclusion
+  // span duration covers the actual job execution window, not just this step's overhead.
+  const rawJobStartMs = parseInt(process.env.GITHUB_AW_OTEL_JOB_START_MS || "0", 10);
+  const startMs = rawJobStartMs > 0 ? rawJobStartMs : undefined;
+
+  // Normalize job-name input: handle both INPUT_JOB_NAME (underscore, standard)
+  // and INPUT_JOB-NAME (hyphen, used by some runner versions).
+  const jobName = (process.env.INPUT_JOB_NAME || process.env["INPUT_JOB-NAME"] || "").trim();
+  const spanName = jobName ? `gh-aw.${jobName}.conclusion` : "gh-aw.job.conclusion";
   console.log(`[otlp] sending conclusion span "${spanName}" to ${endpoint}`);
 
-  const { sendJobConclusionSpan } = require(path.join(__dirname, "send_otlp_span.cjs"));
-  await sendJobConclusionSpan(spanName);
+  await sendOtlpSpan.sendJobConclusionSpan(spanName, { startMs });
   console.log(`[otlp] conclusion span sent`);
 }
 

setup/js/action_setup_otlp.cjs

@@ -4,7 +4,7 @@
 /**
  * action_setup_otlp.cjs
  *
- * Sends a gh-aw.job.setup OTLP span and writes the trace/span IDs to
+ * Sends a `gh-aw.<jobName>.setup` OTLP span and writes the trace/span IDs to
  * GITHUB_OUTPUT and GITHUB_ENV.  Used by both:
  *
  *   - actions/setup/index.js  (dev/release/action mode)
@@ -17,10 +17,17 @@
  *   GITHUB_OUTPUT   – path to the GitHub Actions output file
  *   GITHUB_ENV      – path to the GitHub Actions env file
  *   INPUT_*         – standard GitHub Actions input env vars (read by sendJobSetupSpan)
+ *
+ * Environment variables written:
+ *   GITHUB_AW_OTEL_TRACE_ID        – resolved trace ID (for cross-job correlation)
+ *   GITHUB_AW_OTEL_PARENT_SPAN_ID  – setup span ID (links conclusion span as child)
+ *   GITHUB_AW_OTEL_JOB_START_MS    – epoch ms when setup finished (used by conclusion
+ *                                     span to measure actual job execution duration)
  */
 
 const path = require("path");
 const { appendFileSync } = require("fs");
+const { nowMs } = require("./performance_now.cjs");
 
 /**
  * Send the OTLP job-setup span and propagate trace context via GITHUB_OUTPUT /
@@ -50,6 +57,18 @@ async function run() {
     console.log("[otlp] INPUT_TRACE_ID not set, a new trace ID will be generated");
   }
 
+  // Normalize job-name input: handle both INPUT_JOB_NAME (underscore, standard)
+  // and INPUT_JOB-NAME (hyphen, used by some runner versions).  Mirror the same
+  // two-key lookup that INPUT_TRACE_ID uses above so script-mode invocations
+  // (setup.sh → node action_setup_otlp.cjs) always resolve the job name even
+  // when the runner preserves the original hyphen in the env var name.
+  const inputJobName = (process.env.INPUT_JOB_NAME || process.env["INPUT_JOB-NAME"] || "").trim();
+  if (inputJobName) {
+    // Normalise to the canonical underscore form so sendJobSetupSpan (which
+    // reads process.env.INPUT_JOB_NAME) always finds the value.
+    process.env.INPUT_JOB_NAME = inputJobName;
+  }
+
   if (!endpoint) {
     console.log("[otlp] OTEL_EXPORTER_OTLP_ENDPOINT not set, skipping setup span");
   } else {
@@ -83,6 +102,11 @@ async function run() {
       appendFileSync(process.env.GITHUB_ENV, `GITHUB_AW_OTEL_PARENT_SPAN_ID=${spanId}\n`);
       console.log(`[otlp] GITHUB_AW_OTEL_PARENT_SPAN_ID written to GITHUB_ENV`);
     }
+    // Propagate setup-end timestamp so the conclusion span can measure actual
+    // job execution duration (setup-end → conclusion-start).
+    const setupEndMs = Math.round(nowMs());
+    appendFileSync(process.env.GITHUB_ENV, `GITHUB_AW_OTEL_JOB_START_MS=${setupEndMs}\n`);
+    console.log(`[otlp] GITHUB_AW_OTEL_JOB_START_MS written to GITHUB_ENV`);
   }
 }
 

setup/js/check_command_position.cjs

@@ -2,6 +2,7 @@
 /// <reference types="@actions/github-script" />
 
 const { ERR_API, ERR_CONFIG, ERR_VALIDATION } = require("./error_codes.cjs");
+const { writeDenialSummary } = require("./pre_activation_summary.cjs");
 
 /**
  * Check if command is the first word in the triggering text
@@ -100,6 +101,10 @@ async function main() {
       core.warning(`⚠️ None of the commands [${expectedCommands}] matched the first word (found: '${firstWord}'). Workflow will be skipped.`);
       core.setOutput("command_position_ok", "false");
       core.setOutput("matched_command", "");
+      await writeDenialSummary(
+        `The trigger comment did not start with a required command. Expected one of: ${expectedCommands}. Found: \`${firstWord}\`.`,
+        "Make sure the trigger comment starts with the required command defined in `on.command:` in the workflow frontmatter."
+      );
     }
   } catch (error) {
     core.setFailed(`${ERR_API}: ${getErrorMessage(error)}`);

setup/js/check_membership.cjs

@@ -2,6 +2,7 @@
 /// <reference types="@actions/github-script" />
 
 const { parseRequiredPermissions, parseAllowedBots, checkRepositoryPermission, checkBotStatus, isAllowedBot } = require("./check_permissions_utils.cjs");
+const { writeDenialSummary } = require("./pre_activation_summary.cjs");
 
 async function main() {
   const { eventName } = context;
@@ -46,6 +47,7 @@ async function main() {
     core.setOutput("is_team_member", "false");
     core.setOutput("result", "config_error");
     core.setOutput("error_message", "Configuration error: Required permissions not specified");
+    await writeDenialSummary("Configuration error: Required permissions not specified.", "Contact the repository administrator to fix the workflow frontmatter configuration.");
     return;
   }
 
@@ -76,11 +78,13 @@ async function main() {
           core.setOutput("user_permission", "bot");
           return;
         } else if (botStatus.isBot && !botStatus.isActive) {
+          const errorMessage = `Access denied: Bot '${actor}' is not active/installed on this repository`;
           core.warning(`Bot '${actor}' is in the allowed list but not active/installed on ${owner}/${repo}`);
           core.setOutput("is_team_member", "false");
           core.setOutput("result", "bot_not_active");
           core.setOutput("user_permission", result.permission ?? "bot");
-          core.setOutput("error_message", `Access denied: Bot '${actor}' is not active/installed on this repository`);
+          core.setOutput("error_message", errorMessage);
+          await writeDenialSummary(errorMessage, "The bot is in the allowed list but is not installed or active on this repository. Install the GitHub App and try again.");
           return;
         } else {
           core.info(`Actor '${actor}' is in allowed bots list but bot status check failed`);
@@ -90,18 +94,20 @@ async function main() {
 
     // Not authorized by role or bot
     if (result.error) {
+      const errorMessage = `Repository permission check failed: ${result.error}`;
       core.setOutput("is_team_member", "false");
       core.setOutput("result", "api_error");
-      core.setOutput("error_message", `Repository permission check failed: ${result.error}`);
+      core.setOutput("error_message", errorMessage);
+      await writeDenialSummary(errorMessage, "The permission check failed with a GitHub API error. Check the `pre_activation` job log for details.");
     } else {
+      const errorMessage =
+        `Access denied: User '${actor}' is not authorized. Required permissions: ${requiredPermissions.join(", ")}. ` +
+        `To allow this user to run the workflow, add their role to the frontmatter. Example: roles: [${requiredPermissions.join(", ")}, ${result.permission}]`;
       core.setOutput("is_team_member", "false");
       core.setOutput("result", "insufficient_permissions");
       core.setOutput("user_permission", result.permission);
-      core.setOutput(
-        "error_message",
-        `Access denied: User '${actor}' is not authorized. Required permissions: ${requiredPermissions.join(", ")}. ` +
-          `To allow this user to run the workflow, add their role to the frontmatter. Example: roles: [${requiredPermissions.join(", ")}, ${result.permission}]`
-      );
+      core.setOutput("error_message", errorMessage);
+      await writeDenialSummary(errorMessage, `To allow a bot or GitHub App actor, add it to \`on.bots:\` in the workflow frontmatter. ` + `To change the required roles for human actors, update \`on.roles:\` in the workflow frontmatter.`);
     }
   }
 }

setup/js/check_rate_limit.cjs

@@ -2,6 +2,7 @@
 /// <reference types="@actions/github-script" />
 
 const { getErrorMessage } = require("./error_helpers.cjs");
+const { fetchAndLogRateLimit } = require("./github_rate_limit_logger.cjs");
 
 /**
  * Rate limit check for per-user per-workflow triggers
@@ -15,6 +16,9 @@ async function main() {
   const eventName = context.eventName;
   const runId = context.runId;
 
+  // Capture a rate-limit snapshot at the start of the check for observability.
+  await fetchAndLogRateLimit(github, "check_rate_limit_start");
+
   // Get workflow file name from GITHUB_WORKFLOW_REF (format: "owner/repo/.github/workflows/file.yml@ref")
   // or fall back to GITHUB_WORKFLOW (workflow name)
   const workflowRef = process.env.GITHUB_WORKFLOW_REF || "";
@@ -50,12 +54,13 @@ async function main() {
 
   try {
     // Check user's permission level in the repository
-    const { data: permissionData } = await github.rest.repos.getCollaboratorPermissionLevel({
+    const permResponse = await github.rest.repos.getCollaboratorPermissionLevel({
       owner,
       repo,
       username: actor,
     });
 
+    const { data: permissionData } = permResponse;
     const userPermission = permissionData.permission;
     core.info(`   User '${actor}' has permission level: ${userPermission}`);
 

setup/js/check_skip_bots.cjs

@@ -1,6 +1,8 @@
 // @ts-check
 /// <reference types="@actions/github-script" />
 
+const { writeDenialSummary } = require("./pre_activation_summary.cjs");
+
 /**
  * Check if the workflow should be skipped based on bot/user identity
  * Reads skip-bots from GH_AW_SKIP_BOTS environment variable
@@ -48,10 +50,12 @@ async function main() {
 
   if (isSkipped) {
     // User is in skip-bots, skip the workflow
+    const errorMessage = `Workflow skipped: User '${actor}' is in skip-bots: [${skipBots.join(", ")}]`;
     core.info(`❌ User '${actor}' is in skip-bots [${skipBots.join(", ")}]. Workflow will be skipped.`);
     core.setOutput("skip_bots_ok", "false");
     core.setOutput("result", "skipped");
-    core.setOutput("error_message", `Workflow skipped: User '${actor}' is in skip-bots: [${skipBots.join(", ")}]`);
+    core.setOutput("error_message", errorMessage);
+    await writeDenialSummary(errorMessage, "Update `on.skip-bots:` in the workflow frontmatter to change which bots are excluded.");
   } else {
     // User is NOT in skip-bots, allow workflow to proceed
     core.info(`✅ User '${actor}' is NOT in skip-bots [${skipBots.join(", ")}]. Workflow will proceed.`);

setup/js/check_skip_if_check_failing.cjs

@@ -4,6 +4,7 @@
 const { getErrorMessage, isRateLimitError } = require("./error_helpers.cjs");
 const { ERR_API } = require("./error_codes.cjs");
 const { getBaseBranch } = require("./get_base_branch.cjs");
+const { writeDenialSummary } = require("./pre_activation_summary.cjs");
 
 /**
  * Determines the ref to check for CI status.
@@ -206,6 +207,7 @@ async function main() {
       const names = failingChecks.map(r => (r.status === "completed" ? `${r.name} (${r.conclusion})` : `${r.name} (${r.status})`)).join(", ");
       core.warning(`⚠️ Failing CI checks detected on "${ref}": ${names}. Workflow execution will be prevented by activation job.`);
       core.setOutput("skip_if_check_failing_ok", "false");
+      await writeDenialSummary(`Failing CI checks detected on \`${ref}\`: ${names}.`, "Fix the failing check(s) referenced in `on.skip-if-check-failing:`, or update the frontmatter configuration.");
       return;
     }
 

setup/js/check_skip_if_match.cjs

@@ -4,6 +4,7 @@
 const { getErrorMessage } = require("./error_helpers.cjs");
 const { ERR_API, ERR_CONFIG } = require("./error_codes.cjs");
 const { buildSearchQuery } = require("./check_skip_if_helpers.cjs");
+const { writeDenialSummary } = require("./pre_activation_summary.cjs");
 
 async function main() {
   const { GH_AW_SKIP_QUERY: skipQuery, GH_AW_WORKFLOW_NAME: workflowName, GH_AW_SKIP_MAX_MATCHES: maxMatchesStr = "1", GH_AW_SKIP_SCOPE: skipScope } = process.env;
@@ -42,6 +43,7 @@ async function main() {
     if (totalCount >= maxMatches) {
       core.warning(`🔍 Skip condition matched (${totalCount} items found, threshold: ${maxMatches}). Workflow execution will be prevented by activation job.`);
       core.setOutput("skip_check_ok", "false");
+      await writeDenialSummary(`Skip-if-match query matched: ${totalCount} item(s) found (threshold: ${maxMatches}).`, "Update `on.skip-if-match:` in the workflow frontmatter if this skip was unexpected.");
       return;
     }