github · pelikhan · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml
diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml
diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml
diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml
diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml
diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml
diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml
diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml
diff --git a/.github/workflows/copilot-token-audit.lock.yml b/.github/workflows/copilot-token-audit.lock.yml
diff --git a/.github/workflows/copilot-token-optimizer.lock.yml b/.github/workflows/copilot-token-optimizer.lock.yml
diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml
diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml
diff --git a/.github/workflows/daily-community-attribution.lock.yml b/.github/workflows/daily-community-attribution.lock.yml
diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml
diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml
diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml
diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml
diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml
diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml
diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml
diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml
diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml
diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml
diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml
diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml
diff --git a/.github/workflows/weekly-blog-post-writer.lock.yml b/.github/workflows/weekly-blog-post-writer.lock.yml
diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml
diff --git a/pkg/workflow/repo_memory.go b/pkg/workflow/repo_memory.go
@@ -736,21 +736,26 @@ func (c *Compiler) buildPushRepoMemoryJob(data *WorkflowData, threatDetectionEna
 		steps = append(steps, c.generateRestoreActionsSetupStep())
 	}
 
-	// Job condition: only run if the agent job succeeded (do not push repo memory when agent
-	// failed or was skipped). Using always() so the job still runs even when upstream jobs
-	// are skipped (e.g. detection is skipped when agent produces no outputs).
-	agentSucceeded := BuildEquals(
+	// Job condition: only run when the agent actually executed (not skipped).
+	// Using always() so the job still runs even when upstream jobs are skipped
+	// (e.g. detection is skipped when agent produces no outputs).
+	// We check != 'skipped' rather than == 'success' so that repo-memory is
+	// pushed even when the agent fails — partial memory data is still valuable.
+	// Crucially, this prevents the job from running on no-op workflow invocations
+	// (e.g. bot comments) where pre_activation is skipped and the skip cascades
+	// through activation → agent → detection.
+	agentRan := BuildNotEquals(
 		BuildPropertyAccess(fmt.Sprintf("needs.%s.result", constants.AgentJobName)),
-		BuildStringLiteral("success"),
+		BuildStringLiteral("skipped"),
 	)
 	jobNeeds := []string{string(constants.AgentJobName), string(constants.ActivationJobName)}
 	var jobCondition string
 	if threatDetectionEnabled {
 		// When threat detection is enabled, also require detection passed (succeeded or skipped).
-		jobCondition = RenderCondition(BuildAnd(BuildAnd(BuildFunctionCall("always"), buildDetectionPassedCondition()), agentSucceeded))
+		jobCondition = RenderCondition(BuildAnd(BuildAnd(BuildFunctionCall("always"), buildDetectionPassedCondition()), agentRan))
 		jobNeeds = append(jobNeeds, string(constants.DetectionJobName))
 	} else {
-		jobCondition = RenderCondition(BuildAnd(BuildFunctionCall("always"), agentSucceeded))
+		jobCondition = RenderCondition(BuildAnd(BuildFunctionCall("always"), agentRan))
 	}
 
 	// Build outputs map for validation failures from all memory steps

diff --git a/pkg/workflow/repo_memory_test.go b/pkg/workflow/repo_memory_test.go
@@ -1281,3 +1281,46 @@ func TestPushRepoMemoryJobConcurrencyKey(t *testing.T) {
 	assert.NotContains(t, pushJob.Concurrency, "push-repo-memory-${{ github.repository }}\"",
 		"Concurrency key should not be the old repo-wide-only key format")
 }
+
+// TestPushRepoMemoryJobConditionGatesOnAgentNotSkipped verifies that the push_repo_memory
+// job condition uses needs.agent.result != 'skipped' so the job does not run on no-op
+// workflow invocations (e.g. bot comments where pre_activation is skipped).
+func TestPushRepoMemoryJobConditionGatesOnAgentNotSkipped(t *testing.T) {
+	data := &WorkflowData{
+		RepoMemoryConfig: &RepoMemoryConfig{
+			Memories: []RepoMemoryEntry{
+				{ID: "default", BranchName: "memory/my-workflow"},
+			},
+		},
+	}
+
+	compiler := NewCompiler()
+
+	t.Run("without threat detection", func(t *testing.T) {
+		pushJob, err := compiler.buildPushRepoMemoryJob(data, false)
+		require.NoError(t, err, "Should build push job without error")
+		require.NotNil(t, pushJob, "Should produce a push job")
+
+		assert.Contains(t, pushJob.If, "always()",
+			"Condition should contain always() to bypass normal skip propagation")
+		assert.Contains(t, pushJob.If, "!= 'skipped'",
+			"Condition should check agent result != 'skipped' to gate on agent having run")
+		assert.NotContains(t, pushJob.If, "== 'success'",
+			"Condition should NOT use == 'success' — agent failures should still push memory")
+	})
+
+	t.Run("with threat detection", func(t *testing.T) {
+		pushJob, err := compiler.buildPushRepoMemoryJob(data, true)
+		require.NoError(t, err, "Should build push job without error")
+		require.NotNil(t, pushJob, "Should produce a push job")
+
+		assert.Contains(t, pushJob.If, "always()",
+			"Condition should contain always()")
+		assert.Contains(t, pushJob.If, "!= 'skipped'",
+			"Condition should check agent result != 'skipped'")
+		assert.Contains(t, pushJob.If, "needs.detection.result",
+			"Condition should still check detection result when threat detection is enabled")
+		assert.NotContains(t, pushJob.If, "needs.agent.result == 'success'",
+			"Condition should NOT use == 'success' for agent check")
+	})
+}