feat: Move APM dependency resolution to activation job via pack/unpack

[Copilot]

APM dependencies were resolved at agent-job runtime — slow, network-dependent, and non-deterministic across retries. This moves resolution to the activation job (pack) and unpacking to the agent job (restore) via a separate apm artifact.

New compilation output

Activation job — pack step + artifact upload:

- name: Install and pack APM dependencies
  id: apm_pack
  uses: microsoft/apm-action@<sha>
  with:
    dependencies: |
      - microsoft/apm-sample-package
    isolated: 'true'
    pack: 'true'
    archive: 'true'
    target: copilot          # inferred from engine
    working-directory: /tmp/gh-aw/apm-workspace

- name: Upload APM bundle artifact
  uses: actions/upload-artifact@<sha>
  with:
    name: apm
    path: ${{ steps.apm_pack.outputs.bundle-path }}
    retention-days: 1

Agent job — download + restore:

- name: Download APM bundle artifact
  uses: actions/download-artifact@<sha>
  with:
    name: apm
    path: /tmp/gh-aw/apm-bundle

- name: Restore APM dependencies
  uses: microsoft/apm-action@<sha>
  with:
    bundle: /tmp/gh-aw/apm-bundle/*.tar.gz
    isolated: 'true'   # only when frontmatter isolated: true

Changes

• APMDependenciesInfo — adds Isolated bool field
• extractAPMDependenciesFromFrontmatter — adds object format support alongside existing array format:

  dependencies:
    packages:
      - microsoft/apm-sample-package
    isolated: true   # clears .github/ primitive dirs before unpack

• apm_dependencies.go — replaces GenerateAPMDependenciesStep with GenerateAPMPackStep and GenerateAPMRestoreStep
• WorkflowExecutor interface — adds GetAPMTarget() string method; BaseEngine defaults to "all", CopilotEngine returns "copilot", ClaudeEngine returns "claude"; the APM target is inferred from the engine at compile time rather than via a standalone mapping function
• compiler_activation_job.go — emits pack step (using engine.GetAPMTarget()) and separate apm artifact upload after prompt generation
• compiler_yaml_main_job.go — replaces old install step with artifact download + restore
• frontmatter.md — documents new object format and pack/unpack behavior
• smoke-claude.md — adds microsoft/apm-sample-package as an APM dependency to exercise the pack/restore path in the smoke test workflow

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

Changeset

• Type: patch
• Description: Package APM dependencies during activation and restore them via the apm artifact, speeding up agent jobs and making resolution deterministic.

Generated by Changeset Generator for issue #20385 · ◷

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• github.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "github.com"

See Network Configuration for more information.

---

Changeset

• Type: patch
• Description: Package APM dependencies during activation and restore them via the apm artifact so agent jobs use a deterministic dependency bundle.

Generated by Changeset Generator for issue #20385 · ◷

Warning

⚠️ Firewall blocked 3 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• codeload.github.com
• github.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "codeload.github.com"
    - "github.com"

See Network Configuration for more information.

---

Changeset

• Type: patch
• Description: Package APM dependencies during activation and restore them via the apm artifact for deterministic agent jobs.

Generated by Changeset Generator for issue #20385 · ◷

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• github.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "github.com"

See Network Configuration for more information.

---

---

✨ PR Review Safe Output Test - Run 22953085519

💥 [THE END] — Illustrated by Smoke Claude · ◷

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha copilot/move-apm-dependency-resolution^{commit} (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -unreachable=false /tmp/go-build2067647365/b062/vet.cfg 7647365/b342/vet.cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 7647365/b048/vet.cfg .cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 7647365/b034/vet.cfg .cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 7647365/b051/vet.cfg .cfg pull.rebase (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 7647365/b053/vet.cfg .cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 7647365/b111/vet.cfg .cfg (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha se 7647365/b063/vet.cfg .cfg (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha se 7647365/b055/vet.cfg .cfg (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha k/_temp/runtime-logs/user.env (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot add microsoft/compliance-rules package to smoke-claude agentic workflow.

[Copilot]

@copilot add microsoft/compliance-rules package to smoke-claude agentic workflow.

Done in dfb7260. Added microsoft/compliance-rules to the dependencies field in smoke-claude.md and recompiled the lock file. The activation job now packs the dependency with target: claude and uploads an apm artifact; the agent job downloads and restores it.

[github-actions]

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...]

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

Smoke Test Results for run §22918207837 — @pelikhan

Test	Status
GitHub MCP	✅
MCP Scripts GH CLI	✅
Serena MCP	❌
Playwright	✅
Web Fetch	✅
File Writing	✅
Bash Tool	✅
Discussion Interaction	✅
Build gh-aw	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅

Overall: ❌ FAIL — Serena MCP tools unavailable

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions]

APM dependency resolution moved to the activation job — solid architectural improvement. Two inline notes left: one on the smoke-claude dependency addition, one on the isolated flag docs. Overall this is a well-structured change.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Commit pushed: e49f180

Generated by Changeset Generator

[pelikhan]

@copilot update apm-actions v1.3.1 , recompile

[Copilot]

@copilot update apm-actions v1.3.1 , recompile

Done in 8e6f753. Updated microsoft/apm-action to v1.3.1 (SHA: 5eac264e08ed8db603fe2c40983794f94cab49d8) and recompiled all 166 workflows.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw nMLAs3sO8HZ3 (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/access_log.go /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/actionlint.go (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
• https://api.github.com/repos/microsoft/apm-action/git/ref/tags/v1.3.1
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Copilot wasn't able to review this pull request because it exceeds the maximum number of lines (20,000). Try reducing the number of changed lines and requesting a review from Copilot again.

[github-actions]

🤖 Smoke test run §22953085519 — PARTIAL (core all pass, 3 skipped)

Core (#1–10): ✅✅✅✅✅✅✅✅✅✅
PR Review (#11–17): ✅✅✅⚠️✅⚠️⚠️

Skipped: #14 (PRRT node IDs), #16 (on main branch), #17 (no safe PR to close)

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions]

Hey @Copilot 👋 — thanks for this big PR! The APM pack/unpack work is solid and well-tested, but this PR bundles a couple of unrelated changes that make it harder to review:

1. failure-issue-repo safe-outputs feature — changes to safe_outputs_config.go, notify_comment.go, imports.go, handle_agent_failure.cjs, and docs (glossary.md / safe-outputs.md) don't relate to APM
2. dispatch.go refactor — the fileDownloadFn dependency-injection type and remote_workflow_test.go updates are independent of APM
3. data-ops.md documentation changes — removed content unrelated to APM

Could you split these into separate focused PRs? Something like:

• feat: Move APM dependency resolution to activation job via pack/unpack (the core work)
• feat: Add failure-issue-repo support to safe-outputs (the safe-outputs piece)

This would make each change much easier to review and merge individually. The core APM work looks great — just needs some untangling! 🙏

Generated by Contribution Check · ◷