From 6e54b9cae87b0a134eb673c251aedb8ed246c783 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 18 Jun 2026 18:16:19 +0000
Subject: [PATCH 1/2] Initial plan


From 17ffa85e51703450432b9e2b1bacdb3d193c25bd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 18 Jun 2026 18:38:59 +0000
Subject: [PATCH 2/2] fix(daily-security-observability): add --artifacts mcp
 and --timeout 8, fix error resilience and prompt field names

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .../daily-security-observability.lock.yml     |  4 ++--
 .../workflows/daily-security-observability.md | 24 +++++++++++--------
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/daily-security-observability.lock.yml b/.github/workflows/daily-security-observability.lock.yml
index a8b9e911e52..62ba93614e7 100644
--- a/.github/workflows/daily-security-observability.lock.yml
+++ b/.github/workflows/daily-security-observability.lock.yml
@@ -1,4 +1,4 @@
-# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"a869be8d8328a194956925e2c7e3c98a784c555ad426caa6dd28a7106eeb3d77","body_hash":"00f1554cf88325e0c2ca074274809f77e0d9c3da9e314279de36ed80113ab312","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.63","copilot-sdk":"1.0.1"}}
+# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"0951baf3154975d8a440cade065101df032fb2f800128f93719d2c0e5667d319","body_hash":"c3e3b328c5d10f596d0197ff6a67df16e271742259a40f2d7df0adad169a7336","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.63","copilot-sdk":"1.0.1"}}
 # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_OTEL_GRAFANA_AUTHORIZATION","GH_AW_OTEL_GRAFANA_ENDPOINT","GH_AW_OTEL_SENTRY_AUTHORIZATION","GH_AW_OTEL_SENTRY_ENDPOINT","GITHUB_TOKEN"],"actions":[{"repo":"actions/cache/restore","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/cache/save","sha":"27d5ce7f107fe9357f9df03efb73ab90386fccae","version":"v5.0.5"},{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-go","sha":"4a3601121dd01d1626a1e23e37211e3254c1c06c","version":"v6.4.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"docker/build-push-action","sha":"f9f3042f7e2789586610d6e8b85c8f03e5195baf","version":"v7.2.0"},{"repo":"docker/setup-buildx-action","sha":"d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5","version":"v4.1.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.4","digest":"sha256:b268ebf37df2428b19efcb383f001d65dc6a5ec10af43feb886d1a8477ab0e3a","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.4@sha256:b268ebf37df2428b19efcb383f001d65dc6a5ec10af43feb886d1a8477ab0e3a"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.4","digest":"sha256:3ea0d12a2d124db8ed6e2d18aff040e30ab3568161f258a132fccdeede4198cd","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.4@sha256:3ea0d12a2d124db8ed6e2d18aff040e30ab3568161f258a132fccdeede4198cd"},{"image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.4","digest":"sha256:72c378c029d2fad4684847ab44c329e526ac6b1a78cdf97656870ea11d201545","pinned_image":"ghcr.io/github/gh-aw-firewall/cli-proxy:0.27.4@sha256:72c378c029d2fad4684847ab44c329e526ac6b1a78cdf97656870ea11d201545"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.4","digest":"sha256:87979038897e40caed22245b64d1daa796390d2dca289b99d3d1174c85740af8","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.4@sha256:87979038897e40caed22245b64d1daa796390d2dca289b99d3d1174c85740af8"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.26","digest":"sha256:d3b03f54eee3a8176818c9a52087623e45b7f644a28814337fcc0838e2534490","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.26@sha256:d3b03f54eee3a8176818c9a52087623e45b7f644a28814337fcc0838e2534490"},{"image":"ghcr.io/github/gh-aw-node","digest":"sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b","pinned_image":"ghcr.io/github/gh-aw-node@sha256:529d02eb970b1161aa25c593a9c3df57fdfad5a8add328cb3b6eccef66f3183b"},{"image":"ghcr.io/github/github-mcp-server:v1.3.0","digest":"sha256:5c83359327a0bacc3d34db730bea6557d39d341cee0bf6c58c9a896e33150e80","pinned_image":"ghcr.io/github/github-mcp-server:v1.3.0@sha256:5c83359327a0bacc3d34db730bea6557d39d341cee0bf6c58c9a896e33150e80"}]}
 # This file was automatically generated by gh-aw. DO NOT EDIT. To debug this workflow, load the skill at https://github.com/github/gh-aw/blob/main/debug.md
 #
@@ -570,7 +570,7 @@ jobs:
       - env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         name: Download integrity-filtered logs
-        run: "mkdir -p /tmp/gh-aw/agent/integrity\n# Download logs filtered to only runs with DIFC integrity-filtered events\ngh aw logs --filtered-integrity --start-date -7d --json -c 200 \\\n  > /tmp/gh-aw/agent/integrity/filtered-logs.json\n\nif [ -f /tmp/gh-aw/agent/integrity/filtered-logs.json ]; then\n  count=$(jq '. | length' /tmp/gh-aw/agent/integrity/filtered-logs.json 2>/dev/null || echo 0)\n  echo \"✅ Downloaded $count runs with integrity-filtered events\"\nelse\n  echo \"⚠️ No logs file produced; continuing with empty dataset\"\n  echo \"[]\" > /tmp/gh-aw/agent/integrity/filtered-logs.json\nfi\n"
+        run: "mkdir -p /tmp/gh-aw/agent/integrity\n# Download logs filtered to only runs with DIFC integrity-filtered events.\n# --artifacts mcp: only download the MCP gateway log artifact (sufficient for DIFC checking).\n# --timeout 8: cap execution at 8 minutes to prevent runaway downloads.\ngh aw logs --filtered-integrity --start-date -7d --json -c 200 \\\n  --artifacts mcp --timeout 8 \\\n  > /tmp/gh-aw/agent/integrity/filtered-logs.json || true\n\n# Validate JSON output and fall back to an empty dataset on failure\nif ! jq -e '.runs' /tmp/gh-aw/agent/integrity/filtered-logs.json > /dev/null 2>&1; then\n  echo \"⚠️ No valid logs produced; continuing with empty dataset\"\n  echo '{\"runs\":[],\"summary\":{\"total_runs\":0}}' > /tmp/gh-aw/agent/integrity/filtered-logs.json\nfi\n\ncount=$(jq '.runs | length' /tmp/gh-aw/agent/integrity/filtered-logs.json 2>/dev/null || echo 0)\necho \"✅ Downloaded $count runs with integrity-filtered events\"\n"
 
       # Cache memory file share configuration from frontmatter processed below
       - name: Create cache-memory directory
diff --git a/.github/workflows/daily-security-observability.md b/.github/workflows/daily-security-observability.md
index b793aee9985..b8ac7289390 100644
--- a/.github/workflows/daily-security-observability.md
+++ b/.github/workflows/daily-security-observability.md
@@ -37,18 +37,22 @@ steps:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     run: |
       mkdir -p /tmp/gh-aw/agent/integrity
-      # Download logs filtered to only runs with DIFC integrity-filtered events
+      # Download logs filtered to only runs with DIFC integrity-filtered events.
+      # --artifacts mcp: only download the MCP gateway log artifact (sufficient for DIFC checking).
+      # --timeout 8: cap execution at 8 minutes to prevent runaway downloads.
       gh aw logs --filtered-integrity --start-date -7d --json -c 200 \
-        > /tmp/gh-aw/agent/integrity/filtered-logs.json
+        --artifacts mcp --timeout 8 \
+        > /tmp/gh-aw/agent/integrity/filtered-logs.json || true
 
-      if [ -f /tmp/gh-aw/agent/integrity/filtered-logs.json ]; then
-        count=$(jq '. | length' /tmp/gh-aw/agent/integrity/filtered-logs.json 2>/dev/null || echo 0)
-        echo "✅ Downloaded $count runs with integrity-filtered events"
-      else
-        echo "⚠️ No logs file produced; continuing with empty dataset"
-        echo "[]" > /tmp/gh-aw/agent/integrity/filtered-logs.json
+      # Validate JSON output and fall back to an empty dataset on failure
+      if ! jq -e '.runs' /tmp/gh-aw/agent/integrity/filtered-logs.json > /dev/null 2>&1; then
+        echo "⚠️ No valid logs produced; continuing with empty dataset"
+        echo '{"runs":[],"summary":{"total_runs":0}}' > /tmp/gh-aw/agent/integrity/filtered-logs.json
       fi
 
+      count=$(jq '.runs | length' /tmp/gh-aw/agent/integrity/filtered-logs.json 2>/dev/null || echo 0)
+      echo "✅ Downloaded $count runs with integrity-filtered events"
+
 tools:
   bash:
     - "*"
@@ -172,11 +176,11 @@ Upload both charts using `upload_asset` and record the returned URLs.
 
 ### Step 3.1: Check for DIFC Data
 
-Read `/tmp/gh-aw/agent/integrity/filtered-logs.json`. If the array is empty (no runs found in the last 7 days), note "No DIFC integrity-filtered events found in the last 7 days." and proceed directly to Phase 5 (combined report).
+Read `/tmp/gh-aw/agent/integrity/filtered-logs.json`. If the `runs` array is empty or missing (no runs found in the last 7 days), note "No DIFC integrity-filtered events found in the last 7 days." and proceed directly to Phase 5 (combined report).
 
 ### Step 3.2: Fetch Detailed DIFC Gateway Data
 
-1. Read `/tmp/gh-aw/agent/integrity/filtered-logs.json` and extract all run IDs from each entry's `databaseId` field.
+1. Read `/tmp/gh-aw/agent/integrity/filtered-logs.json` and extract all run IDs from each entry's `run_id` field (under the `runs` array).
 2. For each run ID, call the `audit` tool to get its detailed DIFC filtered events:
 
 ```json