[safe-output-health] Safe Output Health Report - 2026-04-19

[github-actions[bot]]

Executive Summary

• Period: Last 24 hours (2026-04-19)
• Runs Analyzed: 24
• Workflows Active: 20 (4 skipped — agent job not triggered)
• Runs with Safe Output Jobs: 15
• Safe Output Jobs Failed: 2
• Overall Success Rate: 86.7% (13/15)
• Error Clusters Identified: 2
• awf_version: v0.25.25

Safe Output Job Statistics

Job Type	Executions	Failures	Success Rate
create_discussion	6	0	100%
create_issue	5	0	100%
noop	3	0	100%
upload_asset	2	0	100%
missing_tool	1	0	100%
upload_artifact	1	1	0%
create_pull_request	1	1	0%

Note: upload_artifact failure in run-24628589681 also caused 1 cascading create_discussion cancellation in run-24629165601.

Error Clusters

Cluster 1: Protected File Path Violation in create_pull_request

• Count: 1 occurrence
• Affected Jobs: create_pull_request (and 1 cascading create_discussion cancellation)
• Affected Workflow: GitHub MCP Remote Server Tools Report Generator (§24629165601)
• Sample Error:

  Cannot create pull request: patch modifies protected files (.github/aw/github-mcp-server.md).
  Add them to the allowed-files configuration field or set protected-files: fallback-to-issue
  to create a review issue instead.
  

• Root Cause: The agent generated a patch to update .github/aw/github-mcp-server.md (MCP tools documentation), but this path falls under the workflow's protected_path_prefixes list (.github/). No explicit allowed-files exception was configured to permit this file.
• Impact: High — both the PR creation and the dependent create_discussion were blocked. No documentation update was committed. The workflow's intended output was entirely lost for this run.

Cluster 2: Missing Files for upload_artifact

• Count: 1 occurrence
• Affected Jobs: upload_artifact
• Affected Workflow: Multi-Device Docs Tester (§24628589681)
• Sample Error:

  ERR_VALIDATION: upload_artifact: no files matched the selection criteria.
  Check allowed-paths, filters, or use defaults.if-no-files: ignore to skip empty uploads.
  

• Root Cause: The safe output job tried to download a prerequisite artifact named safe-outputs-upload-artifacts — which was not found — and subsequently no files were present to upload when processing the upload_artifact message. The agent successfully completed its main task (all 10 devices passed multi-device testing) and wrote a noop message, but the file upload path was broken.
• Impact: Medium — the noop summary was recorded successfully, but any artifacts the agent intended to upload were lost.

Root Cause Analysis

Protected Path Configuration Issues

The create_pull_request handler enforces protected_path_prefixes: [".github/", ".agents/", ".claude/"] to prevent accidental changes to workflow/config files. The GitHub MCP Remote Server Tools Report Generator workflow is designed to update documentation at .github/aw/github-mcp-server.md, which is legitimately inside .github/. The workflow configuration lacks an explicit allowed-files entry for this path or a protected-files: fallback-to-issue fallback, causing the PR creation to fail hard instead of gracefully degrading.

Agent-Produced File Path Issues

The Multi-Device Docs Tester uses upload_artifact to surface test artifacts. The failure indicates the agent referenced files that were not created or were placed outside the expected upload paths. This may be caused by the agent writing files to a location not included in the allowed-paths configuration of the upload step.

Non-Issue: digest-mismatch: error

The string digest-mismatch: error appears in 12+ runs across all safe output logs. This is not an error — it is a configuration parameter passed to the actions/download-artifact step specifying behavior on digest mismatch. It is expected and benign.

Recommendations

Critical Issues (Immediate Action Required)

1. Fix: GitHub MCP Remote Server Tools Report Generator — protected file block
   • Priority: High
   • Root Cause: Workflow config missing allowed-files exception for .github/aw/github-mcp-server.md
   • Recommended Action: Add allowed-files: [".github/aw/github-mcp-server.md"] to the create_pull_request handler config in the workflow frontmatter, OR set protected-files: fallback-to-issue to gracefully create a review issue when the PR cannot be created.
   • Affected: Run §24629165601, recurs on every run until fixed

Bug Fixes Required

1. Fix: Multi-Device Docs Tester — upload_artifact path mismatch
   • File/Location: Multi-Device Docs Tester workflow definition
   • Problem: Agent-produced files are not found by the upload_artifact safe output handler. Artifact safe-outputs-upload-artifacts was also not found during the prerequisite download step.
   • Fix: Verify that files the agent writes are within the allowed-paths configured for upload, or add if-no-files: ignore to gracefully skip empty uploads instead of failing.
   • Affected Jobs: upload_artifact

Work Item Plans

Work Item 1: Allow .github/aw/ path in MCP Tools Report workflow

• Type: Configuration Fix
• Priority: High
• Description: The GitHub MCP Remote Server Tools Report Generator workflow is blocked from creating PRs that update its own documentation (.github/aw/github-mcp-server.md) due to a protected path prefix rule. This is a legitimate update path that needs an explicit allow.
• Acceptance Criteria:
  • Workflow successfully creates a PR updating .github/aw/github-mcp-server.md
  • No protected-file error in subsequent runs
  • If fallback-to-issue approach is chosen, a review issue is created instead when the patch touches .github/
• Technical Approach: Either (a) add allowed-files: [".github/aw/github-mcp-server.md"] to the workflow's create_pull_request handler config, or (b) add protected-files: fallback-to-issue to gracefully degrade instead of hard-failing
• Estimated Effort: Small
• Dependencies: None

Work Item 2: Fix Multi-Device Docs Tester artifact upload

• Type: Bug Fix
• Priority: Medium
• Description: The upload_artifact safe output in Multi-Device Docs Tester fails because no files match the upload selection criteria. The agent may be writing files to paths not covered by allowed-paths, or the artifact referenced in the download step doesn't exist.
• Acceptance Criteria:
  • upload_artifact succeeds or silently skips when no test artifacts are produced
  • Agent test artifacts are accessible after workflow run
• Technical Approach: Investigate what paths the agent writes files to; add if-no-files: ignore as an immediate fix; align allowed-paths with agent output paths for the complete fix
• Estimated Effort: Small
• Dependencies: None

Historical Context

This is the first audit from the safe-output-health monitoring system. No prior baseline exists for trend comparison. The findings here establish the initial baseline:

• Baseline success rate: 86.7%
• Most reliable job types: create_discussion, create_issue, noop (all 100%)
• Problematic job types on first observation: upload_artifact, create_pull_request (both 0% on their one execution)

Metrics and KPIs

• Overall Safe Output Success Rate: 86.7% (13/15 runs succeeded)
• Most Reliable Job Types: create_discussion, create_issue, noop (100% each)
• Most Problematic Job Types: upload_artifact and create_pull_request (0%, 1 execution each)
• Cascading Failures: 1 (create_discussion cancelled due to create_pull_request failure)

Next Steps

• Add allowed-files or protected-files: fallback-to-issue to GitHub MCP Remote Server Tools Report Generator
• Investigate Multi-Device Docs Tester upload path configuration and add if-no-files: ignore
• Monitor next 24h to confirm fix effectiveness once changes are deployed
• Establish baseline trend tracking in cache memory (initiated today)

References:

• §24628589681 — Multi-Device Docs Tester (upload_artifact failure)
• §24629165601 — GitHub MCP Remote Server Tools Report Generator (create_pull_request protected file failure)

Generated by Safe Output Health Monitor · ● 217K · ◷

• expires on Apr 20, 2026, 1:14 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Safe Output Health Monitor.

A newer discussion is available at Discussion #27345.