fix: relocate checkout manifest into safeoutputs/ so containerized safe-outputs MCP can read it#40025
Merged
Merged
Conversation
…fe-outputs MCP can read it The safe-outputs MCP server now runs in a container that only bind-mounts $RUNNER_TEMP/gh-aw/safeoutputs (plus the workspace and /tmp/gh-aw). The checkout manifest was written as a sibling at $RUNNER_TEMP/gh-aw/checkout-manifest.json, so it was invisible inside the container. Manifest-first checkout resolution then fell back to an unreliable git scan and failed with 'Repository <owner>/<repo> not found in workspace', breaking create_pull_request and push_to_pull_request_branch. Write and read the manifest at $RUNNER_TEMP/gh-aw/safeoutputs/checkout-manifest.json so it lives inside the mounted directory. Fixes #40018
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes cross-repo safe-outputs handlers failing after the safe-outputs MCP server moved into a container by relocating the checkout manifest into the already bind-mounted safeoutputs/ directory under $RUNNER_TEMP/gh-aw/.
Changes:
- Write the checkout manifest to
$RUNNER_TEMP/gh-aw/safeoutputs/checkout-manifest.jsoninbuild_checkout_manifest.cjs. - Read the manifest from the same new default location in
checkout_manifest.cjs(while preservingGH_AW_CHECKOUT_MANIFESToverride behavior). - Update the Go-side comment, JS unit test expectation, and add a changeset documenting the behavioral fix.
Show a summary per file
| File | Description |
|---|---|
pkg/workflow/checkout_step_generator.go |
Updates the documented manifest path to the new safeoutputs/ location. |
actions/setup/js/checkout_manifest.cjs |
Changes the default manifest read path to .../safeoutputs/checkout-manifest.json and updates inline docs. |
actions/setup/js/build_checkout_manifest.test.cjs |
Updates the test to assert the new manifest output path. |
actions/setup/js/build_checkout_manifest.cjs |
Changes the manifest write directory to .../safeoutputs/ with rationale tied to container mounts. |
.changeset/patch-relocate-checkout-manifest-into-safeoutputs.md |
Adds a patch changeset describing the fix and why it addresses the container visibility issue. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/5 changed files
- Comments generated: 0
Contributor
|
✅ smoke-ci: safeoutputs CLI comment + comment-memory run (27752248931)
|
Contributor
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment.
|
This was referenced Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: relocate checkout manifest into
safeoutputs/so containerized safe-outputs MCP can read itProblem
The safe-outputs MCP server runs in a container whose bind-mount covers only
$RUNNER_TEMP/gh-aw/safeoutputs/(plus the workspace and/tmp/gh-aw). The checkout manifest was written one level up at$RUNNER_TEMP/gh-aw/checkout-manifest.json, making it invisible inside the container. Manifest-first checkout resolution then fell back to an unreliable git scan and failed with:This broke
create_pull_requestandpush_to_pull_request_branch.Solution
Move the manifest write and read path from
$RUNNER_TEMP/gh-aw/checkout-manifest.jsonto
$RUNNER_TEMP/gh-aw/safeoutputs/checkout-manifest.jsonso the file lives inside the bind-mounted directory and is visible to the containerized safe-outputs MCP server.
Changes
actions/setup/js/build_checkout_manifest.cjscheckout-manifest.jsontosafeoutputs/subdirectory instead of the parentgh-aw/directory. Core fix.actions/setup/js/checkout_manifest.cjssafeoutputs/checkout-manifest.json; expands JSDoc to explain the bind-mount constraint. Core fix.actions/setup/js/build_checkout_manifest.test.cjsgh-aw/checkout-manifest.json→gh-aw/safeoutputs/checkout-manifest.jsonto match the new write location.pkg/workflow/checkout_step_generator.gosafeoutputs/..changeset/patch-relocate-checkout-manifest-into-safeoutputs.md5 files changed, 20 insertions(+), 8 deletions(-)
Risk
build_checkout_manifest.cjs,checkout_manifest.cjs(path change takes effect immediately on next setup run)checkout-manifest.jsonat the old path ($RUNNER_TEMP/gh-aw/) will be ignored; a fresh manifest will be written at the new path on nextsetupexecution. No migration needed.