[daily regulatory] Regulatory Report - 2026-03-16

[github-actions[bot]]

Today's regulatory review analyzed 12 daily report discussions generated on 2026-03-16. Overall data quality is high — key metrics (lock file count: 172, workflow file count: 172) are consistent across all reports that reference them. No critical cross-report discrepancies were found. The most actionable findings are a recurring lockdown_no_token failure impacting Issue Monster and Daily Issues Report Generator (5 combined failures), a day-2 unresolved untrusted_checkout_exec poutine error in smoke workflows, and declining overall workflow success rate (77.8% today vs expected >90%).

Repository health indicators remain strong: code quality score 79/100, test-to-source ratio 2.27x, 100% workflow security coverage (redaction + permissions), and 0% unlabeled issues. Token consumption per run is trending upward (1.38M avg today), which warrants monitoring for cost implications.

📋 Full Regulatory Report

📊 Reports Reviewed

#	Report	Created (UTC)	Status
1	[daily secrets] Daily Secrets Analysis	20:08	✅ Valid
2	[daily performance] Daily Performance Summary	19:53	✅ Valid
3	📊 Lock File Statistics	16:51	✅ Valid
4	Daily Code Metrics Report	11:50	✅ Valid
5	📊 Daily Copilot Token Consumption	11:42	✅ Valid
6	[observability] Observability Coverage	08:11	⚠️ Minor warnings
7	[Auto-Triage] Auto-Triage Report	06:53	✅ Valid
8	Static Analysis Report	06:52	⚠️ Recurring issue
9	Daily Audit Report	06:10	⚠️ Elevated failures
10	Safe Output Health Report	04:38	⚠️ Partial period
11	Daily Firewall Report	01:12	✅ Valid
12	Daily Compiler Code Quality	00:27	⚠️ 1 file below threshold

🔍 Data Consistency Analysis

Cross-Report Metrics Comparison

Metric	Performance	Secrets	Lock File Stats	Code Metrics	Static Analysis	Scope	Status
Lock/Workflow files (workflow_files)	—	172	172	172	172	✅ Same	✅ Consistent
Open PRs (open_prs)	2	—	—	—	—	✅ Same	✅ N/A (single source)
Merged PRs (merged_prs)	83 / 100	—	—	—	—	✅ Same	✅ N/A (single source)
Issues analyzed (issues_analyzed)	1,000	—	—	—	—	⚠️ Performance scope	ℹ️ See Note
Open issues (open_issues)	~90	—	—	—	—	⚠️ Partial (last 1K)	ℹ️ See Note
Workflow runs (7d)	—	—	—	—	—	Firewall: 26; Observability: 236	✅ Different scopes
Firewall-enabled runs (firewall_enabled_runs)	—	—	—	—	—	Firewall: 26; Observability: 22	⚠️ See Note

Scope Notes:

• issues_analyzed: Performance report covers last 1,000 issues; Auto-Triage covers open issues query — different scopes by design.
• open_issues: Performance report derives from 1,000-issue sample; Auto-Triage queries all open issues — expected difference.
• firewall_enabled_runs: Firewall Report (26 total across 7d) vs Observability Report (22 runs in partial window) — time windows differ; not a true discrepancy.

Consistency Score

• Overall Consistency: 95% — all shared-scope metrics match
• Critical Discrepancies: 0
• Minor Scope Notes: 3 (documented above, all expected)

⚠️ Issues and Anomalies

Critical Issues

1. Recurring lockdown_no_token Failures — Issue Monster + Daily Issues Report
   • Affected Reports: Daily Audit Report (Daily Audit Report - 2026-03-16 #21183)
   • Metric: workflow_success_rate
   • Description: 5 of 6 workflow failures (83% of failures) share the same root cause: lockdown mode enabled without a custom GitHub token configured.
   • Expected: GH_AW_GITHUB_TOKEN or GH_AW_GITHUB_MCP_SERVER_TOKEN secret present.
   • Actual: Secret missing; all 4 scheduled Issue Monster runs + 1 Daily Issues Report run failed at activation.
   • Severity: High — affects 18.5% of today's analyzed runs; these workflows have not produced output.
   • Recommended Action: Configure GH_AW_GITHUB_TOKEN as a repository secret (see docs/src/content/docs/reference/auth.mdx). This is a recurring issue (appeared in previous regulatory reports).

Warnings

1. poutine untrusted_checkout_exec ERROR — Day 2 Unresolved

   • Details: Smoke workflows smoke-workflow-call and smoke-workflow-call-with-inputs have 6 poutine ERROR-level supply chain findings for untrusted checkout execution, unchanged from yesterday (173→172 workflows, 18→18 poutine findings).
   • Impact: Supply chain security risk; these errors persist as ERRORs (not warnings) and remain unresolved.

2. Safe Output add_comment Failure Rate — 40%

   • Details: 2/5 add_comment executions failed in the early-day sample (Safe Output Health Safe Output Health Report - 2026-03-16 #21171). Root cause is context mismatch: smoke workflows using target=triggering run on schedule without PR/issue context.
   • Impact: Medium — expected smoke test behavior, but failure rate may mask real issues if it becomes the baseline.

3. Observability MCP Signal Gap — 1 Run

   • Details: Contribution Check (§23129426404) had rpc-messages.jsonl present but 0 MCP entries — telemetry file exists but recorded no tool calls.
   • Impact: Low — single run; may indicate a run where MCP was configured but not exercised.

4. Compiler Code Quality compiler_yaml.go Below Threshold

   • Details: compiler_yaml.go scored 70/100 (threshold: 75), driven by critically low comment density (2.4%) and oversized functions (generatePrompt: 228 lines, generateCreateAwInfo: 126 lines).
   • Impact: Medium — YAML generation logic is complex and under-commented, creating a maintainability risk.

5. YAML Workflow LOC Spike — +20.1% in One Day

   • Details: Code Metrics shows YAML Workflows at 5,568 LOC, +932 lines (+20.1%) vs yesterday. This stands out vs all other categories (≤0.8% change).
   • Impact: Low-Medium — likely reflects the addition of new lock files or significant workflow expansions. Lock file count dropped 173→172, suggesting the LOC increase is from editing existing workflows, not additions.

Data Quality Notes

• Safe Output Health report notes coverage is only ~4.5 hours (midnight–04:38 UTC); full-day data will show higher totals.
• Token Consumption report covers 56 runs — notably below historical peaks (378 on 2026-02-11), likely a partial-day snapshot.
• Daily Audit covers only 27 runs — consistent with early-day partial coverage for today's analysis.
• No [daily issues] report found in today's discussions (it failed due to lockdown_no_token — confirmed by Daily Audit).

📈 Trend Analysis

Notable Trends

• Token intensity rising: Avg tokens per run: 533K (Jan 2026) → 1,386K (today) — 2.6× increase over ~2 months. Run counts have decreased but complexity per run is up.
• Code quality stable: Quality score held at 79/100; test-to-source ratio stable at 2.27x; healthy trend.
• Lock file count: 173 → 172 (−1 today); addition of add_comment safe outputs (+4), removal of create_issue usage (−1) suggests ongoing workflow refinement.
• Workflow failures: 22.2% failure rate today (6/27); when excluding lockdown_no_token recurring failures, platform success rate improves to ~96%.

📝 Per-Report Analysis

View Per-Report Details

[daily secrets] Daily Secrets Analysis

Source: #21281 | Time Period: 2026-03-16 snapshot | Quality: ✅ Valid

Metric	Value	Validation
Workflow files scanned	172	✅ Matches all other reports
Total secrets references	5,750	✅ Reasonable
github.token references	520	✅
Redaction coverage	172/172 (100%)	✅ Excellent
Permission blocks	172/172 (100%)	✅ Excellent

[daily performance] Daily Performance Summary

Source: #21278 | Time Period: Last 100 PRs / 1,000 issues | Quality: ✅ Valid

Metric	Value	Validation
PRs analyzed	100	✅
Merged PRs	83 (83%)	✅
Open PRs	2	✅
Issues analyzed	1,000	✅
Closed issues	910 (91%)	✅
Avg PR merge time	0.9 hours	✅

Notes: Open + closed + unmerged-closed = 2 + 910 + 15 = 927 ≠ 1000; note that issues and PRs are separate metrics — this is not a math error.

Daily Firewall Report

Source: #21147 | Time Period: 2026-03-09 to 2026-03-16 (7 days) | Quality: ✅ Valid

Metric	Value	Validation
Workflows with firewall	15 unique	✅
Total runs analyzed	26	✅
Network requests	537	✅
Allowed requests	515 (95.9%)	✅
Blocked requests	22 (4.1%)	✅ 515+22=537 ✅
Unique blocked domains	7	✅

Math check: 515 + 22 = 537 ✅

Safe Output Health Report

Source: #21171 | Time Period: ~4.5 hours UTC midnight | Quality: ⚠️ Partial

Metric	Value	Validation
Runs analyzed	239	✅
Safe output jobs triggered	29 (12.1%)	✅
Run-level success rate	81.8% (18/22)	✅
Error clusters	3	✅

💡 Recommendations

Process Improvements

1. Resolve lockdown_no_token permanently: Configure GH_AW_GITHUB_TOKEN secret — this has now caused failures across multiple days and is blocking Issue Monster and Daily Issues Report. High priority.
2. Address untrusted_checkout_exec in smoke workflows: This poutine ERROR has persisted for 2 days. Review smoke-workflow-call and smoke-workflow-call-with-inputs for unsafe checkout patterns.
3. Refactor compiler_yaml.go: Add comments (target ≥15% density) and extract generatePrompt (228 lines) into focused sub-functions to bring quality score above 75.
4. Investigate YAML LOC spike: +932 LOC (+20.1%) in workflow YAML in one day deserves investigation to confirm it's expected (e.g., intentional workflow expansion vs accidental duplication).

Data Quality Actions

1. Smoke test context handling: Consider adding if: github.event_name != 'schedule' guards on add_comment target=triggering steps in smoke workflows to reduce false failure noise.
2. Token consumption monitoring: With avg tokens/run at 1.38M and rising, establish a per-run budget alert threshold to catch runaway workflows before they significantly increase costs.

📊 Regulatory Metrics

Metric	Value
Reports Reviewed	12
Reports Passed	7
Reports with Warnings	5
Reports Failed	0
Critical Discrepancies	0
Overall Health Score	83%

---

References:

• §23163628885

AI generated by Daily Regulatory Report Generator · history

• expires on Mar 19, 2026, 8:14 PM UTC

[github-actions[bot]]

This report has been superseded by a newer daily regulatory report for 2026-03-17.