fix: per-issue conclusion concurrency in issue-duplication-detector (#2318)

Copilot · lpcox · Copilot · web-flow · commit ae24b654f685 · 2026-04-30T19:05:10.000-07:00
* Initial plan * fix: per-issue conclusion concurrency in issue-duplication-detector Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/0cb1066f-110a-42d0-aff8-3f03e8149067 * fix: use flexible whitespace in conclusion concurrency regex Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/0cb1066f-110a-42d0-aff8-3f03e8149067 * fix: make audit artifacts world-readable to fix gh-aw post-job EACCES AWF creates audit files (squid.conf, docker-compose.redacted.yml, policy-manifest.json) as root with 0o600 permissions. When gh-aw's post-job secret scanner runs as the runner user, it gets EACCES trying to stat/scan these files, causing job failures. Since audit files already have secrets redacted, change permissions from 0o700/0o600 to 0o755/0o644 so they're readable without needing the chmod a+rX cleanup step to have run first. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: revert audit permission change and clarify test comment Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/596b0f08-d1fb-468e-9115-70b3e4af8519 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Landon Cox <landon.cox@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/.github/workflows/issue-duplication-detector.lock.yml b/.github/workflows/issue-duplication-detector.lock.yml
diff --git a/scripts/ci/postprocess-smoke-workflows.test.ts b/scripts/ci/postprocess-smoke-workflows.test.ts
@@ -386,3 +386,64 @@ describe('copilotModelEmptyFallbackRegex', () => {
     expect(result).toBe(input);
   });
 });
+
+// ── Issue duplication detector conclusion concurrency tests ───────────────────
+// Mirrors the patterns in postprocess-smoke-workflows.ts.
+// If those patterns change, these tests will catch regressions.
+
+const issueDuplicationConclusionConcurrencyRegex =
+  /([ ]+group: "gh-aw-conclusion-issue-duplication-detector)("\n[ ]+cancel-in-progress: false)/;
+const issueDuplicationConclusionConcurrencySentinel =
+  'gh-aw-conclusion-issue-duplication-detector-${{ github.event.issue.number';
+
+describe('issueDuplicationConclusionConcurrencyRegex', () => {
+  const ORIGINAL_CONCURRENCY =
+    '    concurrency:\n' +
+    '      group: "gh-aw-conclusion-issue-duplication-detector"\n' +
+    '      cancel-in-progress: false\n';
+
+  it('should match the compiler-generated shared conclusion concurrency group', () => {
+    expect(issueDuplicationConclusionConcurrencyRegex.test(ORIGINAL_CONCURRENCY)).toBe(true);
+  });
+
+  it('should transform the group to include the issue number', () => {
+    const result = ORIGINAL_CONCURRENCY.replace(
+      issueDuplicationConclusionConcurrencyRegex,
+      `$1-\${{ github.event.issue.number || github.run_id }}$2`
+    );
+    expect(result).toContain('${{ github.event.issue.number || github.run_id }}');
+    expect(result).toContain('cancel-in-progress: false');
+    expect(result).not.toContain(
+      '"gh-aw-conclusion-issue-duplication-detector"\n'
+    );
+  });
+
+  it('should NOT match already-per-issue group (idempotency via sentinel)', () => {
+    const alreadyUpdated =
+      '    concurrency:\n' +
+      '      group: "gh-aw-conclusion-issue-duplication-detector-${{ github.event.issue.number || github.run_id }}"\n' +
+      '      cancel-in-progress: false\n';
+    // The sentinel string is present in the already-updated content, so the
+    // postprocess script skips the transform. Additionally, the regex itself
+    // does NOT match the updated form because the closing quote is no longer
+    // immediately after "issue-duplication-detector" — both guards agree.
+    expect(alreadyUpdated.includes(issueDuplicationConclusionConcurrencySentinel)).toBe(true);
+    expect(issueDuplicationConclusionConcurrencyRegex.test(alreadyUpdated)).toBe(false);
+  });
+
+  it('should preserve cancel-in-progress: false in the output', () => {
+    const result = ORIGINAL_CONCURRENCY.replace(
+      issueDuplicationConclusionConcurrencyRegex,
+      `$1-\${{ github.event.issue.number || github.run_id }}$2`
+    );
+    expect(result).toContain('cancel-in-progress: false');
+  });
+
+  it('should keep the workflow name prefix in the group', () => {
+    const result = ORIGINAL_CONCURRENCY.replace(
+      issueDuplicationConclusionConcurrencyRegex,
+      `$1-\${{ github.event.issue.number || github.run_id }}$2`
+    );
+    expect(result).toContain('gh-aw-conclusion-issue-duplication-detector-');
+  });
+});
diff --git a/scripts/ci/postprocess-smoke-workflows.ts b/scripts/ci/postprocess-smoke-workflows.ts
@@ -185,6 +185,20 @@ const cacheRestoreKeyPrefixRegex =
   /(memory-none-nopolicy-(?:\$\{\{ env\.GH_AW_WORKFLOW_ID_SANITIZED \}\}|[a-z0-9-]+)-)(\n)/g;
 const cacheDateRestoreKeySentinel = 'env.CACHE_MEMORY_DATE }}';
 
+// Fix for issue-duplication-detector.lock.yml: make the conclusion job's
+// concurrency group per-issue instead of per-workflow. Without this, when
+// multiple issues are opened simultaneously (batch triggers), all conclusion
+// jobs queue in the same single-slot group. GitHub Actions allows only one
+// pending run per group; a third arriving cancels the current pending one,
+// causing 40%+ error rates in busy periods.
+//
+// Change: "gh-aw-conclusion-issue-duplication-detector"
+//      → "gh-aw-conclusion-issue-duplication-detector-${{ github.event.issue.number || github.run_id }}"
+const issueDuplicationConclusionConcurrencyRegex =
+  /([ ]+group: "gh-aw-conclusion-issue-duplication-detector)("\n[ ]+cancel-in-progress: false)/;
+const issueDuplicationConclusionConcurrencySentinel =
+  'gh-aw-conclusion-issue-duplication-detector-${{ github.event.issue.number';
+
 // Builds the YAML for the "Strip execute bits" step.
 function buildStripExecBitsStep(indent: string): string {
   const i = indent;
@@ -422,6 +436,36 @@ for (const workflowPath of workflowPaths) {
     console.log(`  'Copy Copilot session state' step already updated`);
   }
 
+  // For issue-duplication-detector: scope the conclusion job's concurrency
+  // group to the triggering issue number so that concurrent runs for different
+  // issues don't block each other's conclusion jobs. The compiler generates a
+  // single shared group ("gh-aw-conclusion-issue-duplication-detector") which
+  // causes conclusion jobs to queue in a 1-slot group; when more than two
+  // complete simultaneously the pending job is cancelled by the next arrival.
+  const isIssueDuplicationDetector = workflowPath.includes(
+    'issue-duplication-detector.lock.yml'
+  );
+  if (isIssueDuplicationDetector) {
+    if (!content.includes(issueDuplicationConclusionConcurrencySentinel)) {
+      const concMatch = content.match(issueDuplicationConclusionConcurrencyRegex);
+      if (concMatch) {
+        content = content.replace(
+          issueDuplicationConclusionConcurrencyRegex,
+          `$1-\${{ github.event.issue.number || github.run_id }}$2`
+        );
+        modified = true;
+        console.log(`  Scoped conclusion concurrency group to per-issue for issue-duplication-detector`);
+      } else {
+        console.warn(
+          `  WARNING: Could not find conclusion concurrency group in issue-duplication-detector. ` +
+            `The compiled lock file may have changed structure. Manual review required.`
+        );
+      }
+    } else {
+      console.log(`  Conclusion concurrency group already per-issue for issue-duplication-detector`);
+    }
+  }
+
   // Exclude unused Playwright/browser tools from Copilot CLI for smoke-copilot.
   // The Copilot CLI includes 21 built-in browser_* tools when --allow-all-tools is set.
   // These tools are never used in smoke-copilot but add ~10,500 tokens/turn of dead weight.
