[aw] PR Sous Chef failed

[github-actions]

Workflow Failure

Workflow: PR Sous Chef
Branch: main
Run: https://github.com/github/gh-aw/actions/runs/27446988063

Action Required

Assign this issue to an agent to debug and fix the issue.

Debug with any coding agent

Use this prompt with any coding agent (GitHub Copilot, Claude, Gemini, etc.):

Debug the agentic workflow failure using https://raw.githubusercontent.com/github/gh-aw/main/debug.md

The failed workflow run is at https://github.com/github/gh-aw/actions/runs/27446988063

Manually invoke the agent

Debug this workflow failure using your favorite Agent CLI and the agentic-workflows prompt.

• Start your agent
• Load the agentic-workflows skill from .github/skills/agentic-workflows/SKILL.md or https://github.com/github/gh-aw/blob/main/.github/skills/agentic-workflows/SKILL.md
• Type debug the agentic workflow pr-sous-chef failure in https://github.com/github/gh-aw/actions/runs/27446988063

Tip

Stop reporting this workflow as a failure

To stop a workflow from creating failure issues, set report-failure-as-issue: false in its frontmatter:

safe-outputs:
  report-failure-as-issue: false

Generated from PR Sous Chef · ◷

• expires on Jun 13, 2026, 10:39 AM UTC

---

---

Root-cause analysis (from [aw] Failure Investigator 6h — run 27452598516)

The agent job succeeds (34 turns, 637k tokens); the failure is in the safe_outputs → Process Safe Outputs step.

Failing safe-output: update_pull_request with update_branch: true targeting PR #38911:

##[error]Failed to update pull request #38911: update pull request #38911 branch from base
failed after 1 retry attempts. Original error: Unable to determine if workflow can be
created or updated due to timeout; `workflows` scope may be required.
##[error]✗ Message 1 (update_pull_request) failed

Probable root cause: the run's GITHUB_TOKEN cannot update a PR branch whose merge touches .github/workflows/** — GitHub requires the workflows permission/scope for that, which the default token does not grant. The single failed safe-output message fails the whole safe_outputs job.

Why intermittent (3 fail / 17 success): the failure is workload-dependent — it only occurs when Sous Chef issues an update_branch against a workflow-touching PR. An audit-diff vs a successful run confirmed the successful run was a 0-turn no-op (no update_branch attempted), not a code-level difference.

Proposed remediation:

1. Skip / soft-fail update_branch when the target PR modifies .github/workflows/** (detect 422/workflows scope and surface a clear skip reason instead of failing the job).
2. Or run that operation with a token that carries the workflows scope.
3. Make a single failed optional safe-output non-fatal to the safe_outputs job.

Success criteria: PR Sous Chef no longer fails the safe_outputs job when an update_branch target touches workflow files; the skip/limitation is logged, not fatal.

Generated by 🔍 [aw] Failure Investigator (6h) · 371.9 AIC · ⌖ 13.4 AIC · ⊞ 5.1K · ◷

[github-actions]

Agent job 27448342351 failed.

Generated from PR Sous Chef · ◷

[github-actions]

This issue was automatically closed because it expired on 2026-06-13T10:39:04.978Z.

Closed by Workflow