Skip to content

fix: detection job missing engine.env job dependencies in needs list#44202

Merged
pelikhan merged 13 commits into
mainfrom
copilot/fix-threat-detection-needs
Jul 8, 2026
Merged

fix: detection job missing engine.env job dependencies in needs list#44202
pelikhan merged 13 commits into
mainfrom
copilot/fix-threat-detection-needs

Conversation

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

When engine.env values reference needs.<job>.outputs.* expressions, the auto-generated detection job inherits those env mappings but was not gaining the referenced jobs in its needs list — causing the expressions to silently resolve to empty strings at runtime. The agent and conclusion jobs already had this fixed; detection was the remaining gap.

Changes

  • pkg/workflow/threat_detection_job.go: After building the initial needs: [agent, activation] list, scan engine.env values for needs.<customJob>.outputs.* references using getReferencedCustomJobs and append the referenced custom jobs — mirroring the identical scan already done for the agent job in compiler_main_job.go.

  • pkg/workflow/compiler_jobs_test.go: Three new tests covering the detection job fix:

    • TestBuildDetectionJobEngineEnvNeedsExpression — custom job appears in detection needs
    • TestBuildDetectionJobEngineEnvNeedsNotDuplicated — no duplicate entries when job is referenced multiple times
    • TestBuildDetectionJobEngineEnvNeedsIntegration — end-to-end lock file compilation confirms correct output

Example

For a workflow with:

engine:
  env:
    COPILOT_MODEL: ${{ needs.select_model.outputs.model }}
jobs:
  select_model:
    needs: pre_activation
    ...

Before this fix, the compiled detection job omitted select_model:

jobs:
  detection:
    needs: [activation, agent]   # select_model missing → COPILOT_MODEL resolves to ""

After:

jobs:
  detection:
    needs: [activation, agent, select_model]   # expression evaluates correctly

Copilot AI and others added 2 commits July 8, 2026 05:34
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot merge main and recompile

Copilot AI changed the title [WIP] Fix threat detection needs to incorporate jobs in engine.env expressions fix: detection job missing engine.env job dependencies in needs list Jul 8, 2026
Copilot AI requested a review from pelikhan July 8, 2026 05:47
@pelikhan pelikhan marked this pull request as ready for review July 8, 2026 05:50
Copilot AI review requested due to automatic review settings July 8, 2026 05:50
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ failed to deliver outputs during design decision gate check.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

⚠️ PR Code Quality Reviewer failed during code quality review.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a workflow compilation gap where the auto-generated detection job did not inherit required needs dependencies implied by engine.env values referencing needs.<job>.outputs.*, leading to empty-string expression evaluation at runtime.

Changes:

  • Extend buildDetectionJob to scan engine env values for needs.<customJob>.outputs.* references and append those custom jobs to the detection job’s needs.
  • Add unit + integration-style tests to validate detection job needs behavior for engine env references.
  • Regenerate two compiled workflow lock files.
Show a summary per file
File Description
pkg/workflow/threat_detection_job.go Adds dependency inference for detection job based on engine.env needs.* references.
pkg/workflow/compiler_jobs_test.go Adds tests intended to cover the new detection-job dependency behavior.
.github/workflows/lint-monster.lock.yml Regenerated compiled workflow output (safe-outputs config snippet updated).
.github/workflows/eslint-monster.lock.yml Regenerated compiled workflow output (safe-outputs config snippet updated).

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment thread pkg/workflow/threat_detection_job.go Outdated
Comment on lines +78 to +94
if data.EngineConfig != nil && len(data.EngineConfig.Env) > 0 && len(data.Jobs) > 0 {
var engineEnvBuilder strings.Builder
for _, envValue := range data.EngineConfig.Env {
engineEnvBuilder.WriteByte('\n')
engineEnvBuilder.WriteString(envValue)
}
engineEnvJobs := c.getReferencedCustomJobs(engineEnvBuilder.String(), data.Jobs)
for _, jobName := range engineEnvJobs {
if isBuiltinJobName(jobName) {
continue
}
if !slices.Contains(needs, jobName) {
needs = append(needs, jobName)
threatLog.Printf("Added custom job '%s' to detection needs because it's referenced in engine.env", jobName)
}
}
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in bd99f2e. buildDetectionJob now scans the effective detection engine config, so safe-outputs.threat-detection.engine.env overrides the top-level engine env when computing detection needs.

Comment thread pkg/workflow/compiler_jobs_test.go Outdated
Comment on lines +4222 to +4229
yamlStr := string(content)

// The detection job must directly depend on select_model
detectionSection := extractJobSection(yamlStr, "detection")
require.NotEmpty(t, detectionSection, "detection job section should be present in lock file")

assert.Contains(t, detectionSection, "select_model",
"detection job must list select_model in its needs (referenced via engine.env)")

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in bd99f2e. The integration test now parses the compiled lock YAML and asserts jobs.detection.needs directly instead of relying on a substring match.

@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix correctly identifies the gap: the detection job inherited engine.env values (via detectionEngineConfig.Env) but did not scan those values for needs.(job).outputs.* expressions the way the agent job already did.

The implementation cleanly mirrors the pattern in compiler_main_job.go - same guard, same helper, same dedup logic. Tests cover the unit case, dedup case, and an end-to-end lock-file integration test.

The lock file changes (removing required_title_prefix from update_issue in the eslint-monster and lint-monster workflows) appear to be a correct side-effect of running make recompile, not a regression.

No blocking issues found.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 41.1 AIC · ⌖ 5.78 AIC · ⊞ 4.8K

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Warning

The push_to_pull_request_branch operation failed: Cannot push to pull request branch: bundle modifies files outside the allowed-files list (.github/workflows/ab-testing-advisor.lock.yml, .github/workflows/agent-performance-analyzer.lock.yml, .github/workflows/agent-persona-explorer.lock.yml, .github/workflows/agentic-token-optimizer.lock.yml, .github/workflows/ai-moderator.lock.yml, .github/workflows/approach-validator.lock.yml, .github/workflows/archie.lock.yml, .github/workflows/artifacts-summary.lock.yml, .github/workflows/auto-triage-issues.lock.yml, .github/workflows/avenger.lock.yml, .github/workflows/aw-failure-investigator.lock.yml, .github/workflows/bot-detection.lock.yml, .github/workflows/breaking-change-checker.lock.yml, .github/workflows/chaos-pr-bundle-fuzzer.lock.yml, .github/workflows/ci-coach.lock.yml, .github/workflows/ci-doctor.lock.yml, .github/workflows/claude-code-user-docs-review.lock.yml, .github/workflows/code-scanning-fixer.lock.yml, .github/workflows/code-simplifier.lock.yml, .github/workflows/codex-github-remote-mcp-test.lock.yml, .github/workflows/commit-changes-analyzer.lock.yml, .github/workflows/contribution-check.lock.yml, .github/workflows/copilot-agent-analysis.lock.yml, .github/workflows/copilot-cli-deep-research.lock.yml, .github/workflows/copilot-opt.lock.yml, .github/workflows/copilot-pr-nlp-analysis.lock.yml, .github/workflows/copilot-pr-prompt-analysis.lock.yml, .github/workflows/copilot-session-insights.lock.yml, .github/workflows/craft.lock.yml, .github/workflows/daily-agent-of-the-day-blog-writer.lock.yml, .github/workflows/daily-ambient-context-optimizer.lock.yml, .github/workflows/daily-assign-issue-to-user.lock.yml, .github/workflows/daily-aw-cross-repo-compile-check.lock.yml, .github/workflows/daily-awf-spec-compiler-surfacing.lock.yml, .github/workflows/daily-cache-strategy-analyzer.lock.yml, .github/workflows/daily-caveman-optimizer.lock.yml, .github/workflows/daily-choice-test.lock.yml, .github/workflows/daily-cli-performance.lock.yml, .github/workflows/daily-code-metrics.lock.yml, .github/workflows/daily-community-attribution.lock.yml, .github/workflows/daily-compiler-quality.lock.yml, .github/workflows/daily-compiler-threat-spec-optimizer.lock.yml, .github/workflows/daily-doc-healer.lock.yml, .github/workflows/daily-doc-updater.lock.yml, .github/workflows/daily-experiment-report.lock.yml, .github/workflows/daily-fact.lock.yml, .github/workflows/daily-file-diet.lock.yml, .github/workflows/daily-firewall-report.lock.yml, .github/workflows/daily-formal-spec-verifier.lock.yml, .github/workflows/daily-function-namer.lock.yml, .github/workflows/daily-geo-optimizer.lock.yml, .github/workflows/daily-hippo-learn.lock.yml, .github/workflows/daily-issues-report.lock.yml, .github/workflows/daily-malicious-code-scan.lock.yml, .github/workflows/daily-mcp-concurrency-analysis.lock.yml, .github/workflows/daily-model-inventory.lock.yml, .github/workflows/daily-model-resolution.lock.yml, .github/workflows/daily-multi-device-docs-tester.lock.yml, .github/workflows/daily-news.lock.yml, .github/workflows/daily-observability-report.lock.yml, .github/workflows/daily-performance-summary.lock.yml, .github/workflows/daily-regulatory.lock.yml, .github/workflows/daily-reliability-review.lock.yml, .github/workflows/daily-rendering-scripts-verifier.lock.yml, .github/workflows/daily-repo-chronicle.lock.yml, .github/workflows/daily-safe-output-integrator.lock.yml, .github/workflows/daily-safe-outputs-conformance.lock.yml, .github/workflows/daily-safeoutputs-git-simulator.lock.yml, .github/workflows/daily-secrets-analysis.lock.yml, .github/workflows/daily-security-observability.lock.yml, .github/workflows/daily-security-red-team.lock.yml, .github/workflows/daily-semgrep-scan.lock.yml, .github/workflows/daily-spdd-spec-planner.lock.yml, .github/workflows/daily-team-evolution-insights.lock.yml, .github/workflows/daily-team-status.lock.yml, .github/workflows/daily-testify-uber-super-expert.lock.yml, .github/workflows/daily-windows-terminal-integration-builder.lock.yml, .github/workflows/daily-workflow-updater.lock.yml, .github/workflows/daily-yamllint-fixer.lock.yml, .github/workflows/dataflow-pr-discussion-dataset.lock.yml, .github/workflows/dead-code-remover.lock.yml, .github/workflows/deep-report.lock.yml, .github/workflows/delight.lock.yml, .github/workflows/dependabot-burner.lock.yml, .github/workflows/dependabot-go-checker.lock.yml, .github/workflows/dependabot-repair.lock.yml, .github/workflows/deployment-incident-monitor.lock.yml, .github/workflows/design-decision-gate.lock.yml, .github/workflows/designer-drift-audit.lock.yml, .github/workflows/dev-hawk.lock.yml, .github/workflows/dev.lock.yml, .github/workflows/developer-docs-consolidator.lock.yml, .github/workflows/dictation-prompt.lock.yml, .github/workflows/discussion-task-miner.lock.yml, .github/workflows/draft-pr-cleanup.lock.yml, .github/workflows/eslint-miner.lock.yml, .github/workflows/eslint-monster.lock.yml, .github/workflows/eslint-refiner.lock.yml, .github/workflows/example-permissions-warning.lock.yml, .github/workflows/example-workflow-analyzer.lock.yml, .github/workflows/firewall-escape.lock.yml, .github/workflows/functional-pragmatist.lock.yml, .github/workflows/github-mcp-structural-analysis.lock.yml, .github/workflows/github-mcp-tools-report.lock.yml, .github/workflows/github-remote-mcp-auth-test.lock.yml, .github/workflows/glossary-maintainer.lock.yml, .github/workflows/go-fan.lock.yml, .github/workflows/go-logger.lock.yml, .github/workflows/gpclean.lock.yml, .github/workflows/grumpy-reviewer.lock.yml, .github/workflows/hippo-embed.lock.yml, .github/workflows/hourly-ci-cleaner.lock.yml, .github/workflows/impeccable-skills-reviewer.lock.yml, .github/workflows/instructions-janitor.lock.yml, .github/workflows/issue-arborist.lock.yml, .github/workflows/issue-monster.lock.yml, .github/workflows/issue-triage-agent.lock.yml, .github/workflows/jsweep.lock.yml, .github/workflows/layout-spec-maintainer.lock.yml, .github/workflows/lint-monster.lock.yml, .github/workflows/linter-miner.lock.yml, .github/workflows/mattpocock-skills-reviewer.lock.yml, .github/workflows/mergefest.lock.yml, .github/workflows/metrics-collector.lock.yml, .github/workflows/necromancer.lock.yml, .github/workflows/notion-issue-summary.lock.yml, .github/workflows/objective-impact-report.lock.yml, .github/workflows/org-health-report.lock.yml, .github/workflows/outcome-collector.lock.yml, .github/workflows/plan.lock.yml, .github/workflows/poem-bot.lock.yml, .github/workflows/pr-code-quality-reviewer.lock.yml, .github/workflows/pr-description-caveman.lock.yml, .github/workflows/pr-nitpick-reviewer.lock.yml, .github/workflows/pr-sous-chef.lock.yml, .github/workflows/pr-triage-agent.lock.yml, .github/workflows/prompt-clustering-analysis.lock.yml, .github/workflows/q.lock.yml, .github/workflows/refactoring-cadence.lock.yml, .github/workflows/refiner.lock.yml, .github/workflows/repo-audit-analyzer.lock.yml, .github/workflows/repository-quality-improver.lock.yml, .github/workflows/ruflo-backed-task.lock.yml, .github/workflows/schema-consistency-checker.lock.yml, .github/workflows/schema-feature-coverage.lock.yml, .github/workflows/scout.lock.yml, .github/workflows/security-compliance.lock.yml, .github/workflows/security-review.lock.yml, .github/workflows/semantic-function-refactor.lock.yml, .github/workflows/sergo.lock.yml, .github/workflows/skillet.lock.yml, .github/workflows/smoke-agent-all-merged.lock.yml, .github/workflows/smoke-agent-all-none.lock.yml, .github/workflows/smoke-agent-public-approved.lock.yml, .github/workflows/smoke-agent-public-none.lock.yml, .github/workflows/smoke-agent-scoped-approved.lock.yml, .github/workflows/smoke-antigravity.lock.yml, .github/workflows/smoke-ci.lock.yml, .github/workflows/smoke-claude-on-copilot.lock.yml, .github/workflows/smoke-claude.lock.yml, .github/workflows/smoke-codex.lock.yml, .github/workflows/smoke-copilot-aoai-apikey.lock.yml, .github/workflows/smoke-copilot-aoai-entra.lock.yml, .github/workflows/smoke-copilot-arm.lock.yml, .github/workflows/smoke-copilot.lock.yml, .github/workflows/smoke-create-cross-repo-pr.lock.yml, .github/workflows/smoke-crush.lock.yml, .github/workflows/smoke-gemini.lock.yml, .github/workflows/smoke-opencode.lock.yml, .github/workflows/smoke-otel-backends.lock.yml, .github/workflows/smoke-pi.lock.yml, .github/workflows/smoke-project.lock.yml, .github/workflows/smoke-update-cross-repo-pr.lock.yml, .github/workflows/spec-enforcer.lock.yml, .github/workflows/spec-extractor.lock.yml, .github/workflows/spec-librarian.lock.yml, .github/workflows/stale-pr-cleanup.lock.yml, .github/workflows/stale-repo-identifier.lock.yml, .github/workflows/static-analysis-report.lock.yml, .github/workflows/step-name-alignment.lock.yml, .github/workflows/sub-issue-closer.lock.yml, .github/workflows/technical-doc-writer.lock.yml, .github/workflows/terminal-stylist.lock.yml, .github/workflows/tidy.lock.yml, .github/workflows/typist.lock.yml, .github/workflows/ubuntu-image-analyzer.lock.yml, .github/workflows/uk-ai-operational-resilience.lock.yml, .github/workflows/unbloat-docs.lock.yml, .github/workflows/weekly-blog-post-writer.lock.yml, .github/workflows/weekly-issue-summary.lock.yml, .github/workflows/weekly-safe-outputs-spec-review.lock.yml, .github/workflows/workflow-generator.lock.yml, .github/workflows/workflow-health-manager.lock.yml, .github/workflows/workflow-normalizer.lock.yml). Add the files to the allowed-files configuration field or remove them from the bundle.. The code changes were not applied.

Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (182 new lines in pkg/) but does not have a linked Architecture Decision Record (ADR).

Draft ADR committed: docs/adr/44202-detection-job-engine-env-needs-scan.md — review and complete it before merging.

This PR cannot merge until an ADR is linked in the PR body.

What to do next
  1. Review the draft ADR committed to your branch — it was generated from the PR diff
  2. Complete the missing sections — add context the AI could not infer, refine the decision rationale, and list real alternatives you considered
  3. Commit the finalized ADR to docs/adr/ on your branch
  4. Reference the ADR in this PR body by adding a line such as:
    ADR: [ADR-44202: Detection Job engine.env Needs Scan](docs/adr/44202-detection-job-engine-env-needs-scan.md)

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

  • Context — What is the problem? What forces are at play?
  • Decision — What did you decide? Why?
  • Alternatives Considered — What else could have been done?
  • Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number.

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · 48 AIC · ⌖ 9.54 AIC · ⊞ 8.5K ·
Comment /review to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

Test Quality Score: 80/100 — Excellent

Analyzed 3 test(s): 3 design, 0 implementation, 0 violation(s).

📊 Metrics (3 tests)
Metric Value
Analyzed 3 (Go: 3, JS: 0)
✅ Design 3 (100%)
⚠️ Implementation 0 (0%)
Edge/error coverage 3 (100%)
Duplicate clusters 0
Inflation YES (157 test lines / 25 prod lines = 6.3:1, −10 pts)
🚨 Violations 0
Test File Classification Issues
TestBuildDetectionJobEngineEnvNeedsExpression compiler_jobs_test.go:~4074 design_test / behavioral_contract / high_value None
TestBuildDetectionJobEngineEnvNeedsNotDuplicated compiler_jobs_test.go:~4130 design_test / behavioral_contract / high_value None
TestBuildDetectionJobEngineEnvNeedsIntegration compiler_jobs_test.go:~4174 design_test / behavioral_contract / high_value None
📋 Test Analysis Details

TestBuildDetectionJobEngineEnvNeedsExpression — Verifies the primary behavioral fix: when engine.env references needs.<customJob>.outputs.*, the detection job gains a direct dependency on that custom job. Also checks that existing agent and activation dependencies are preserved. All assertions carry descriptive failure messages. ✅

TestBuildDetectionJobEngineEnvNeedsNotDuplicated — Edge-case: when the same custom job is referenced multiple times across different engine.env values, it must appear exactly once in the detection job needs list. Counts occurrences in the slice directly. ✅

TestBuildDetectionJobEngineEnvNeedsIntegration — End-to-end: compiles a full workflow markdown → reads the emitted .lock.yml → asserts the detection job section lists select_model in its needs. Exercises the full compiler pipeline. Named "Integration" but lives in the //go:build !integration unit file — minor naming incongruity, not a policy violation (build tag is correct). ✅

Inflation note: 157 test additions vs. 25 production additions (6.3:1 ratio), exceeding the 2:1 threshold (−10 pts). Contextually appropriate given three tests covering unit, deduplication, and integration scenarios for a targeted algorithmic fix.

Verdict

Passed. 0% implementation tests (threshold: 30%). All 3 tests enforce user-visible behavioral contracts with descriptive assertions, full edge-case coverage, and no mock violations.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 33.2 AIC · ⌖ 9.96 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test Quality Sentinel: 80/100. 0% implementation tests (threshold: 30%). All 3 tests enforce behavioral contracts with descriptive assertions, edge-case and deduplication coverage, and no mock violations.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address any unresolved review feedback, and rerun checks once the branch is ready.

Generated by 👨‍🍳 PR Sous Chef · 7.14 AIC · ⌖ 9.31 AIC · ⊞ 7.1K ·
Comment /souschef to run again

Copilot AI and others added 3 commits July 8, 2026 06:25
…tection-needs

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
… deps

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot merge main, recompile
Run pr-finisher skill

Done in 3e22ac1. I merged main, ran make recompile, finished the pr-finisher pass, and pushed the follow-up fix for detection-job built-in engine.env warnings plus the regenerated lock files. Local make fmt, make lint, make test-unit, make test, and make agent-report-progress all passed. CI on this head is stale after the agent push, so a maintainer still needs to re-trigger it before merge.

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address any unresolved review feedback, and rerun checks once the branch is ready.

...

007677d adds docs/adr/44202-detection-job-engine-env-needs-scan.md to cover the remaining design-gate feedback. I reran make fmt, make lint, make test-unit, make test, make recompile, and make agent-report-progress; all passed locally, and I didn’t find any other remaining in-scope review feedback to change. CI on this head is still stale/unverified after the agent push and needs a maintainer re-trigger before merge; the ADR also still needs to be linked from the PR body for the design gate.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category bug
Risk 🟡 Medium
Score 68/100 (impact:30 urgency:23 quality:15)
Action fast_track

Rationale: Fixes silent runtime bug — detection job missing needs entries for jobs referenced in engine.env, causing expressions to resolve to empty strings. Already fixed for agent/conclusion; this closes the gap. Well-described with tests.


Run §28924016278

Generated by 🔧 PR Triage Agent · 101 AIC · ⌖ 9.82 AIC · ⊞ 5.4K ·

@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot merge main and recompile

Copilot AI and others added 2 commits July 8, 2026 09:35
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…tection-needs

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot merge main and recompile

Done in 71b34bf. I merged main, reran the workflow recompilation, and verified the branch with make agent-report-progress; the merge commit and regenerated lock files are pushed.

@pelikhan pelikhan merged commit 2adb865 into main Jul 8, 2026
29 checks passed
@pelikhan pelikhan deleted the copilot/fix-threat-detection-needs branch July 8, 2026 10:42
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Threat detection 'needs' does not incorporate jobs in engine.env expressions

4 participants