Skip to content

"Check workflow file timestamps" step fails with ERR_CONFIG when workflow runs cross-repo via org rulesets #23779

Closed
#23808
Closed
"Check workflow file timestamps" step fails with ERR_CONFIG when workflow runs cross-repo via org rulesets#23779
#23808
Assignees
pelikhancopilot-swe-agent
Labels
community
@jaroslawgajewski

Description

@jaroslawgajewski
jaroslawgajewski
opened on Mar 31, 2026

Description

When a compiled workflow (.lock.yml) runs on a different repository than where it was defined — for example, via organization rulesets — the "Check workflow file timestamps" step fails with:

Root cause: check_workflow_timestamp_api.cjs uses context.repo to construct the GitHub API call that fetches the lock file content. When a workflow is triggered cross-repo (via org rulesets), context.repo resolves to the target repository, not the repository where the workflow source and lock file reside. The API returns 404 because the lock file does not exist in the target repository.

Steps to Reproduce

  • Create a repository (Repo A) with a compiled agentic workflow (.md + .lock.yml).
  • Configure an organization ruleset that enforces the workflow from Repo A on other repositories.
  • Trigger the workflow on a different repository (Repo B) — e.g., open a pull request.
  • The "Check workflow file timestamps" job step fails:
  • context.repo.owner / context.repo.repo = Repo B (the target)
  • The API call fetches .github/workflows/.lock.yml from Repo B → 404
  • Step exits with ERR_CONFIG

Expected Behavior

The timestamp check step should resolve the workflow source repository (from github.workflow_ref) rather than context.repo, or gracefully skip the check when the workflow is executing cross-repo.

Current Workaround

Post-compilation patch that adds an if: condition to skip the step when running cross-repo:

- name: Check workflow file timestamps  if: startsWith(github.workflow_ref, format('{0}/', github.repository))  uses: actions/github-script@v8
This condition evaluates to true only when the executing repository matches the workflow source repository (same-repo run), and false for cross-repo runs via org rulesets.

Suggested Fix

In check_workflow_timestamp_api.cjs, derive the source repository from github.workflow_ref (format: owner/repo/.github/workflows/file@ref) instead of context.repo. Alternatively, the compiler could emit the if: guard natively when generating the timestamp check step.

Environment

gh-aw CLI: v0.65.1
Platform: github.com
Trigger: Organization rulesets enforcing workflows cross-repo

issue introduced in v0.65.0

Metadata

Metadata

Assignees

Labels

community

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions