Agentic Workflow Audit — 2026-03-15

[github-actions[bot]]

Daily audit of agentic workflow runs. Analysis covers runs from the last 24 hours (2026-03-15).

Summary

• Total runs analyzed: 50 (11 agent runs, 39 skipped/trigger-filtered)
• Successful agent runs: 8 ✅
• Failed agent runs: 3 ❌
• Missing tools: 1 ⚠️
• Total tokens consumed: 8,614,690
• Firewall blocks: 2 (benign analytics domain)

---

Trend Charts

Workflow Health (Last 30 Days)

Today saw 3 failures against 8 successes (72.7% success rate for agent runs). The bulk of runs are event-triggered skips (slash commands, issue/PR reactions not matching), which is expected behavior.

Token Usage (Last 30 Days)

Today's 8.6M tokens is driven primarily by Chroma Issue Indexer (4.26M), Copilot PR Prompt Pattern Analysis (1.83M), and Contribution Check (1.45M). Cost tracking unavailable (no billing data in run metadata).

---

Failed Runs

Issue Monster — Configuration Failure [HIGH]

Run: §23104177948
Duration: 47s | Event: schedule

Root cause: Lockdown mode is enabled (lockdown: true) but no custom GitHub token is configured.

##[error]Lockdown mode is enabled (lockdown: true) but no custom GitHub token is configured.
Please configure one of:
  - GH_AW_GITHUB_TOKEN (recommended)
  - GH_AW_GITHUB_MCP_SERVER_TOKEN (alternative)

Impact: Workflow failed at activation — no agent ran, no output produced.

Resolution: Configure the required secret:

gh aw secrets set GH_AW_GITHUB_TOKEN --value "YOUR_FINE_GRAINED_PAT"
```

See: [auth docs](https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/auth.mdx)

</details>

<details>
<summary><b>Contribution Check — Safe Outputs Post-Processing Failure [MEDIUM]</b></summary>

**Run:** [§23104133000](https://github.com/github/gh-aw/actions/runs/23104133000)
**Duration:** 7.9m | **Tokens:** 1,454,603 | **Event:** schedule

**Root cause:** The `safe_outputs` job failed during post-processing. The agent itself completed successfully and produced valid output:
- Posted review comment on [PR #21018](https://github.com/github/gh-aw/pull/21018) (labeled `lgtm`)
- Posted review comment on [PR #20864](https://github.com/github/gh-aw/pull/20864) (labeled `needs-work`, requested PR split)
- Created issue [#21029](https://github.com/github/gh-aw/issues/21029) with contribution check report

**Impact:** Workflow reported as failed despite producing all intended outputs. Likely a label validation or post-processing step issue.

**Note:** The pre-filter step did not produce `pr-filter-results.json` this run — PRs were fetched directly as fallback.

**Resolution:** Investigate the `safe_outputs` job step logs; verify label names exist in the repo. Pre-filter step should be investigated to understand why it produced no output.

</details>

<details>
<summary><b>AI Moderator — Git Checkout Failure [MEDIUM]</b></summary>

**Run:** [§23103308460](https://github.com/github/gh-aw/actions/runs/23103308460)
**Duration:** 6.3m | **Event:** pull_request (branch: `copilot/update-action-pin-mode`)

**Root cause:** The agent job failed to checkout the PR branch:
```
##[error]The process '/usr/bin/git' failed with exit code 128
##[error]Attempted to check out: copilot/update-action-pin-mode
##[error]ERR_API: Failed to checkout PR branch

This was followed by Artifact not found for name: agent in the safe_outputs job.

Impact: AI Moderator could not process PR #21024. No moderation output was produced.

Resolution: The branch copilot/update-action-pin-mode may have been deleted, force-pushed, or merged before the agent could run. This is likely transient — subsequent PR events should work normally.

---

Missing Tools

GitHub Remote MCP Authentication Test — MCP Toolset Unavailable [MEDIUM]

Run: §23104007518
Duration: 5.6m | Tokens: 1,070,347 | Outcome: success (noop fallback)

Tools requested but unavailable: list_issues, get_repository (GitHub MCP server)

Reason: MCP toolsets unavailable in runner - tools not loaded

Impact: Minimal — the workflow completed successfully by using the missing_tool safe output. However, the test's purpose is to verify MCP authentication, so the missing tools indicate the remote MCP mode is not functioning as expected.

Resolution: Verify that GH_AW_GITHUB_MCP_SERVER_TOKEN is set and that the remote MCP server is reachable from the runner environment.

---

Firewall Analysis

Domain	Allowed	Blocked
api.githubcopilot.com:443	226	0
api.openai.com:443	6	0
ab.chatgpt.com:443	0	2

The 2 blocked requests to ab.chatgpt.com originated from the AI Moderator (codex engine). This appears to be an analytics/telemetry endpoint from the OpenAI/ChatGPT client SDK — not a data exfiltration concern. The firewall is correctly blocking it. No action required.

---

Top Token Consumers

Workflow	Tokens	Duration	Outcome
Chroma Issue Indexer	4,260,157	9.5m	✅ success
Copilot PR Prompt Pattern Analysis	1,829,583	8.1m	✅ success
Contribution Check	1,454,603	7.9m	❌ failure (safe_outputs)
GitHub Remote MCP Auth Test	1,070,347	5.6m	✅ success
AI Moderator (codex) × 2	~0 (no data)	7.3–13.7m	✅ success

---

Recommendations

1. [HIGH] Fix Issue Monster token configuration — Set GH_AW_GITHUB_TOKEN secret. This is a blocking configuration issue preventing the workflow from running at all.
2. [MEDIUM] Investigate Contribution Check safe_outputs failure — The agent produced correct output but the post-processing failed. Check whether the lgtm/needs-work label names exist or if there's a size/validation constraint being hit.
3. [MEDIUM] Investigate GitHub Remote MCP Authentication Test — The test workflow is failing its own purpose (verifying MCP auth) due to tools not being loaded. Check remote MCP mode configuration.
4. [LOW] AI Moderator git checkout race condition — The copilot/update-action-pin-mode branch was unavailable when the agent ran. Consider adding retry logic or graceful handling for deleted/merged branches.

---

References:

• §23104177948 — Issue Monster failure
• §23104133000 — Contribution Check failure
• §23103308460 — AI Moderator git failure

AI generated by Agentic Workflow Audit Agent · history

• expires on Mar 16, 2026, 6:01 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Agentic Workflow Audit Agent.

A newer discussion is available at Discussion #21183.