Summary
Daily cross-reprepo compilation audit of the top-20 public gh-aw adopters (ranked by stars, discovered from .lock.yml content). All workflows compiled with the latest local build (gh aw version 85015b1) under --strict, followed by an automated gh aw fix --write + recompile pass.
| Metric |
Value |
| Repositories selected |
20 |
| Cloned successfully |
20 |
| Clone failures |
0 |
| Compile failed (before fix) |
6 |
Healed by gh aw fix |
3 ✅ |
| Still failing after fix |
3 ⚠️ |
Discovery note: GitHub code-search returned HTTP 429 on all 4 attempts, so the audit fell back to the cached lock-file repo pool (same behaviour as the prior two daily runs). Repo star/visibility metadata was re-validated live via the repo API.
Still failing after gh aw fix --write
These three need human action — fix has no codemod that resolves them today:
dotnet/maui — copilot-evaluate-tests.md
on.workflow_dispatch.inputs.pr_number.required: true is not allowed when using slash_commandAzure/azure-sdk-for-net — mgmt-review.md
pull_request_target trigger with checkout enabled is extremely insecure (explicit sparse-checkout block present)Azure/azure-rest-api-specs — sdk-generation-agent.md
strict mode: secrets detected in 'env' section will be leaked to the agent container (top-level env.GITHUB_TOKEN: ${{ secrets... }})
Trend: this is the same persistent trio minus dotnet/skills, which now heals automatically (was failing 2026-06-04). Net improvement of one repo vs. yesterday.
Healed automatically ✅
| Repo |
Error (before) |
Codemod that fixed it |
storybookjs/storybook |
tools.serena: unknown tool name |
serena-tools-to-shared-import |
openvinotoolkit/openvino |
Unknown property: rate-limit |
rate-limit-to-user-rate-limit |
runhey/OnmyojiAutoScript |
pull_request_target trigger with checkout enabled |
pull-request-target-checkout-false |
Per-failure root cause & suggested remediation
1. dotnet/maui — required dispatch input under slash_command
The workflow combines a slash_command trigger with workflow_dispatch.inputs.pr_number.required: true. Slash-command dispatches are automatic and cannot supply required manual inputs, so the validator rejects it.
Fix: set required: false on pr_number (the workflow already defaults other inputs to false).
2. Azure/azure-sdk-for-net — pull_request_target + explicit checkout
on:
pull_request_target:
types: [opened, reopened, synchronize]
checkout:
sparse-checkout: |
.githubpull_request_target + checkout of PR-controlled refs is blocked by design. The pull-request-target-checkout-false codemod only auto-adds checkout: false when no explicit checkout block exists, so it skips this workflow silently. See the companion codemod-gap issue.
Fix (human): switch to pull_request, or set checkout: false and explicitly check out a trusted ref.
3. Azure/azure-rest-api-specs — top-level env secret leak
strict: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_PERSONAL_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}A top-level env: secret is forwarded into the agent container. The audit compiles with --strict, which overrides the workflow's strict: false. The engine-env-secrets-to-engine-config codemod only scrubs engine.env, not top-level env.
Fix: remove GITHUB_TOKEN from top-level env (gh-aw injects it automatically), or move PAT into engine-specific secret config.
All 20 repos — compile status (before / fix / after)
| Repo |
⭐ |
before |
fix |
after |
| f/prompts.chat |
163321 |
✅ |
0 |
✅ |
| storybookjs/storybook |
90202 |
❌ |
0 |
✅ |
| moeru-ai/airi |
40721 |
✅ |
0 |
✅ |
| dotnet/aspnetcore |
37987 |
✅ |
0 |
✅ |
| taosdata/TDengine |
24890 |
✅ |
0 |
✅ |
| dotnet/maui |
23265 |
❌ |
0 |
❌ |
| Z3Prover/z3 |
12312 |
✅ |
0 |
✅ |
| openvinotoolkit/openvino |
10331 |
❌ |
0 |
✅ |
| github/copilot-sdk |
9091 |
✅ |
0 |
✅ |
| microsoft/aspire |
6021 |
✅ |
0 |
✅ |
| Azure/azure-sdk-for-net |
6002 |
❌ |
0 |
❌ |
| ReactiveX/RxPY |
5014 |
✅ |
0 |
✅ |
| github/gh-aw |
4568 |
✅ |
0 |
✅ |
| royshil/obs-backgroundremoval |
4345 |
✅ |
0 |
✅ |
| runhey/OnmyojiAutoScript |
4320 |
❌ |
0 |
✅ |
| TableProApp/TablePro |
4305 |
✅ |
0 |
✅ |
| dotnet/skills |
3271 |
✅ |
0 |
✅ |
| Azure/azure-rest-api-specs |
3067 |
❌ |
0 |
❌ |
| apache/cloudstack |
2939 |
✅ |
0 |
✅ |
| Azure/azure-sdk-for-js |
2290 |
✅ |
0 |
✅ |
Recommendations
- Close the
pull_request_target + explicit-checkout codemod gap (tracked separately).
- Consider a codemod/diagnostic for top-level
env: secrets under strict mode (currently only engine.env is covered).
- The maui required-input case is a one-off this run but recurs daily — a small validator hint suggesting
required: false would shorten the fix loop.
Generated by 🔧 Daily AW Cross-Repo Compile Check · 259 AIC · ◷
Summary
Daily cross-reprepo compilation audit of the top-20 public gh-aw adopters (ranked by stars, discovered from
.lock.ymlcontent). All workflows compiled with the latest local build (gh aw version 85015b1) under--strict, followed by an automatedgh aw fix --write+ recompile pass.gh aw fixDiscovery note: GitHub code-search returned HTTP 429 on all 4 attempts, so the audit fell back to the cached lock-file repo pool (same behaviour as the prior two daily runs). Repo star/visibility metadata was re-validated live via the repo API.
Still failing after
gh aw fix --writeThese three need human action —
fixhas no codemod that resolves them today:dotnet/maui—copilot-evaluate-tests.mdon.workflow_dispatch.inputs.pr_number.required: true is not allowed when using slash_commandAzure/azure-sdk-for-net—mgmt-review.mdpull_request_target trigger with checkout enabled is extremely insecure(explicitsparse-checkoutblock present)Azure/azure-rest-api-specs—sdk-generation-agent.mdstrict mode: secrets detected in 'env' section will be leaked to the agent container(top-levelenv.GITHUB_TOKEN: ${{ secrets... }})Healed automatically ✅
storybookjs/storybooktools.serena: unknown tool nameserena-tools-to-shared-importopenvinotoolkit/openvinoUnknown property: rate-limitrate-limit-to-user-rate-limitrunhey/OnmyojiAutoScriptpull_request_target trigger with checkout enabledpull-request-target-checkout-falsePer-failure root cause & suggested remediation
1. dotnet/maui — required dispatch input under slash_command
The workflow combines a
slash_commandtrigger withworkflow_dispatch.inputs.pr_number.required: true. Slash-command dispatches are automatic and cannot supply required manual inputs, so the validator rejects it.Fix: set
required: falseonpr_number(the workflow already defaults other inputs tofalse).2. Azure/azure-sdk-for-net — pull_request_target + explicit checkout
pull_request_target+ checkout of PR-controlled refs is blocked by design. Thepull-request-target-checkout-falsecodemod only auto-addscheckout: falsewhen no explicit checkout block exists, so it skips this workflow silently. See the companion codemod-gap issue.Fix (human): switch to
pull_request, or setcheckout: falseand explicitly check out a trusted ref.3. Azure/azure-rest-api-specs — top-level env secret leak
A top-level
env:secret is forwarded into the agent container. The audit compiles with--strict, which overrides the workflow'sstrict: false. Theengine-env-secrets-to-engine-configcodemod only scrubsengine.env, not top-levelenv.Fix: remove
GITHUB_TOKENfrom top-levelenv(gh-aw injects it automatically), or move PAT into engine-specific secret config.All 20 repos — compile status (before / fix / after)
Recommendations
pull_request_target+ explicit-checkout codemod gap (tracked separately).env:secrets under strict mode (currently onlyengine.envis covered).required: falsewould shorten the fix loop.