safe_outputs: dispatched worker fails to apply bundle with "couldn't find remote ref" when dispatched from a non-main scanner run

[sg650]

Bug

When the scanner is dispatched from a non-main ref (e.g. a PR branch), the worker it spawns via dispatch_workflow fails in safe_outputs at bundle-apply time with couldn't find remote ref for the brand-new branch the bundle is supposed to create. The agent job itself completes successfully and the bundle is uploaded as an artifact — the failure is purely in safe_outputs git plumbing.

Symptom

##[warning]Bundle fetch with refs/heads/<worker-branch-name> failed: fatal: couldn't find remote ref refs/heads/<worker-branch-name>
##[error]✗ Message 1 (create_pull_request) failed: Failed to apply bundle
##[warning]⚠️ Code push operation 'create_pull_request' failed — continuing with remaining safe outputs (add_comment messages will include a failure note)
##[error]1 safe output(s) failed:

What happens

1. Scanner runs on a PR branch (via gh aw run <scanner-workflow> --ref <pr-branch>).
2. Scanner emits one or more dispatch_workflow safe outputs targeting a worker workflow. Those dispatches inherit the ref.
3. Worker agent runs successfully on the PR branch, creates a new branch locally, emits create_pull_request with bundle_path set; base_commit is the latest commit on the PR branch.
4. safe_outputs job activation does the standard checkout with refspec +refs/heads/main*:refs/remotes/origin/main* and git checkout -B main refs/remotes/origin/main.
5. Handler then does a git fetch origin that brings in every branch — but obviously not the worker's brand-new branch, since it doesn't exist on origin yet (the whole point of the bundle is to push it).
6. Handler then runs the bundle fetch with refspec refs/heads/<worker-branch>:refs/heads/<worker-branch> against the bundle file. git fetch reports couldn't find remote ref — i.e. the bundle file does not contain that ref.

Likely root cause

When the worker agent runs on a non-main ref, the branch it creates locally is based on that PR-branch commit. The bundle is created locally on the agent runner. Something in the bundle-creation path may be choosing a ref name (or base) that the safe_outputs side then can't resolve when it has only main checked out.

This works fine when the scanner runs from main and dispatches workers from main. We've reproduced it twice on PR branches.

Repro

In any repo with a scanner→worker dispatch:

gh aw run <scanner-workflow> --ref <non-main-branch>

When the scanner dispatches a worker that emits create_pull_request from a bundle, the worker's safe_outputs job will fail with couldn't find remote ref.

Impact

• Worker agent's PR is never opened, despite the agent doing all the substantive work (full root-cause analysis + patch + regression test).
• Pushed branch & decision-record persistence (push_repo_memory) succeed.
• Dev iteration on scanner/worker workflows from a feature branch is broken — you have to merge to main to validate the full dispatch chain end-to-end.

Suggested investigation

• Confirm whether git bundle create on the agent side captures the branch ref when the workspace HEAD is a non-main ref.
• If yes, check whether safe_outputs is constructing the bundle-fetch refspec from the bundle's actual contents (git bundle list-heads <bundle>) vs. the message's branch field.
• Consider making dispatch_workflow always target main so workers don't inherit a non-main ref (or document that limitation explicitly).

Workaround

Validate scanner/worker changes by merging the PR to main, then run gh aw run. Not great for iteration speed.

---

Compiler: gh-aw v0.76.1. Engine: copilot/claude-sonnet-4.6/v1.0.52.

[srgibbs99]

@pelikhan bumping this if possible.