Optimize safe output checkout with shallow clone and targeted branch fetching

[Copilot]

Safe output jobs for create-pull-request and push-to-pull-request-branch performed full repository checkouts (fetch-depth: 0), which is expensive for large repositories. This changes them to shallow clones with explicit branch fetching.

Changes

Go compiler changes:

• Modified buildCreatePullRequestPreStepsConsolidated() and buildPushToPullRequestBranchPreStepsConsolidated() to use fetch-depth: 1 instead of fetch-depth: 0

JavaScript runtime changes:

• create_pull_request.cjs: Replaced git fetch origin with git fetch origin ${baseBranch}:${baseBranch} to fetch only the base branch
• push_to_pull_request_branch.cjs: Replaced git fetch origin with git fetch origin ${branchName}:refs/remotes/origin/${branchName} to fetch only the target branch

Example

Before:

await exec.exec("git fetch origin");  // Fetches all branches
await exec.exec(`git checkout ${baseBranch}`);

After:

await exec.exec(`git fetch origin ${baseBranch}:${baseBranch}`);  // Fetches only needed branch
await exec.exec(`git checkout ${baseBranch}`);

This reduces clone time and network transfer significantly for repositories with extensive history.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login oad-artifact.git php8.3 /usr/bin/git l 4 /usr/bin/git git for-�� b/workflows %(refname) /usr/bin/git l a255aa63a3cc5ba3rev-parse /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login it/ref/tags/v5 git (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login ithub/workflows origin e/git-remote-https xterm-color (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

The safe output job should emit a shallow checkout step for the create-pull-request or push-to-pull-request-branch because some repositories are huge and it is an expensive task.

Instead, the JavaScript should run git command to ensure that the branches required are available.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Smoke Test Results - Copilot Engine

Last 2 merged PRs:

• [security-fix] Fix clear-text logging of sensitive information in secrets validation #7178: Security fix - clear-text logging
• Keep map_helpers.go and git_helpers.go as standalone files #7175: Helper files review

Test Results:

• ✅ GitHub MCP: Accessed merged PRs
• ✅ File Writing: Created & verified test file
• ✅ Bash Tool: Executed commands successfully
• ✅ Default Toolset: get_me correctly unavailable
• ✅ Cache Memory: Read/write successful

Overall Status: PASS

cc: @pelikhan

📰 BREAKING: Report filed by Smoke Copilot fer issue #7176 🗺️

[github-actions]

Smoke Test Results

✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-20418939388.txt
✅ Bash Tool: Verified file content successfully
❌ Safe Input gh Tool: safeinputs-gh tool not available

Status: PARTIAL PASS (2/3 tests passed)

Ahoy! This treasure was crafted by 🏴‍☠️ Smoke Copilot Safe Inputs fer issue #7176 🗺️

[github-actions]

Smoke Test Results: Copilot Engine (No Firewall)

Last 2 Merged PRs:

• [security-fix] Fix clear-text logging of sensitive information in secrets validation #7178: Fix clear-text logging of sensitive information in secrets validation
• [docs] Update documentation for shorthand label trigger syntax #7173: Update documentation for shorthand label trigger syntax

Test Results:

• ✅ GitHub MCP: Retrieved PRs successfully
• ✅ File Writing: Created test file in /tmp/gh-aw/agent/
• ✅ Bash Tool: Verified file creation (Mon Dec 22 01:22:39 UTC 2025)
• ✅ Playwright MCP: Navigated to github.com, title contains "GitHub"
• ⏳ Safe Input gh Tool: Testing now...

Status: Running final test

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #7176 🗺️

[github-actions]

Firewall smoke test (Codex + AWF)
PRs: [security-fix] Fix clear-text logging of sensitive information in secrets validation; [docs] Update documentation for shorthand label trigger syntax
OpenAI curl blocked: ✅
example.com blocked: ✅
GitHub MCP (PR titles fetched): ✅
File write/read: ✅ (/tmp/gh-aw/agent/smoke-test-codex-firewall-20418939393.txt)
Network: SANDBOXED | Overall: PASS

🔥 Firewall tested by Smoke Codex Firewall fer issue #7176 🗺️

[github-actions]

Smoke Test Results - Claude Engine

Last 2 Merged PRs:

• [security-fix] Fix clear-text logging of sensitive information in secrets validation #7178: [security-fix] Fix clear-text logging of sensitive information
• [docs] Update documentation for shorthand label trigger syntax #7173: [docs] Update documentation for shorthand label trigger syntax

Test Results:
✅ GitHub MCP - Retrieved PRs successfully
✅ File Writing - Created /tmp/gh-aw/agent/smoke-test-claude-20418939409.txt
✅ Bash Tool - Verified file creation
✅ Playwright MCP - Navigated to GitHub, title verified: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
✅ Cache Memory - Created /tmp/gh-aw/cache-memory/smoke-test-20418939409.txt
❌ Safe Input gh Tool - Tool not available in this environment

Status: PASS (5/6 core tests passed)

💥 [THE END] — Illustrated by Smoke Claude fer issue #7176 🗺️

[github-actions]

Recent merged PRs: [security-fix] Fix clear-text logging of sensitive information in secrets validation; [docs] Update documentation for shorthand label trigger syntax
GitHub MCP (last 2 merged PRs): ✅
File write /tmp/gh-aw/agent & cat: ✅
Playwright title contains "GitHub": ✅
Cache memory file write & cat: ✅
safeinputs-gh gh issues list --limit 3: ❌ (command not found)
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex fer issue #7176 🗺️