Add safe-outputs configuration to notion-issue-summary workflow

[Copilot]

The notion-issue-summary workflow creates issue summary comments but was missing safe-outputs configuration, preventing it from using the structured safe-outputs pipeline. Audit identified this as 1 of 9 workflows without safe-outputs, though the other 8 legitimately don't need it (tests, examples, read-only operations).

Changes

• Added safe-outputs: add-comment: max: 1 to .github/workflows/notion-issue-summary.md frontmatter
• Recompiled workflow to generate updated .lock.yml with safe-outputs infrastructure

safe-outputs:
  add-comment:
    max: 1

This enables the workflow's existing instruction to "use the notion_add_comment safe-job" to function correctly through the safe-outputs framework with proper validation and constraint enforcement.

Increases safe-outputs coverage from 93.8% to 94.5% (137/145 workflows).

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[q] Fix notion-issue-summary workflow safe-outputs configuration</issue_title>
<issue_description>## Summary

This PR addresses a finding from the Agentic Workflow Audit Report (Discussion github/gh-aw#13735) by adding safe-outputs configuration to the notion-issue-summary.md workflow.

Investigation Findings

The audit report identified 9 workflows without safe-outputs (6.2% of 145 workflows). After detailed investigation of each workflow, I found that:

• 8 workflows legitimately don't need safe-outputs (test workflows, example workflows, or read-only operations)
• 1 workflow genuinely needed the fix: notion-issue-summary.md

Workflows Without Safe-Outputs - Analysis

Workflow	Needs Fix?	Reason
chroma-issue-indexer.md	❌	Read-only workflow, only indexes to database
codex-github-remote-mcp-test.md	❌	Test workflow, no GitHub writes
example-custom-error-patterns.md	❌	Example workflow for documentation
example-permissions-warning.md	❌	Example workflow for documentation
firewall.md	❌	Test workflow for network firewall
metrics-collector.md	❌	Stores to repo-memory, no GitHub writes
test-workflow.md	❌	Basic test workflow
test-yaml-import.md	❌	Test workflow for imports
notion-issue-summary.md	✅	FIXED - Creates comments but was missing safe-outputs

Changes Made

Modified File: .github/workflows/notion-issue-summary.md

Added safe-outputs configuration:

safe-outputs:
  add-comment:
    max: 1

Rationale: This workflow analyzes issues and creates summaries as comments, but was missing the safe-outputs configuration needed to properly integrate with the safe-outputs framework. This fix ensures the workflow can create comments through the structured safe-outputs pipeline.

Other Audit Findings Investigated

Network Security ✅ Already Configured

Workflows using web-fetch or external network access already have proper network: allowed: configuration with explicit domain allow-lists. No changes needed.

Examples:

• cli-version-checker.md: allowed: [defaults, node, "api.github.com", "ghcr.io"]
• cli-consistency-checker.md: allowed: [defaults, node, "api.github.com"]

MCP Server Adoption ✅ Acceptable

Low MCP adoption (2.8% - only 4 workflows) is intentional and acceptable. Most workflows work perfectly with built-in tools. MCP servers add complexity and should only be used when specialized capabilities are needed.

Runtime Metrics ⚠️ Cannot Fix in Workflows

The audit noted that runtime metrics are unavailable due to missing gh CLI authentication. This is an infrastructure/CI configuration issue, not something that can be fixed in workflow files.

Validation

✅ Changes compiled and validated locally
✅ Only modified the workflow that genuinely needed safe-outputs
✅ No unnecessary changes to working configurations
✅ Minimal, surgical fix addressing the actual issue

Expected Improvements

• Completes safe-outputs migration for the 1 workflow that needed it
• Increases safe-outputs coverage from 93.8% to 94.5% (137/145 workflows)
• Documents why other workflows legitimately don't use safe-outputs

References

• Audit Report: Discussion github/gh-aw#13735
• Triggering Command: /q fix from @pelikhan
• Run ID: ${{ github.run_id }}

---

This is a targeted, minimal fix based on thorough investigation of the audit findings. Only 1 of the 9 workflows flagged actually needed safe-outputs - the other 8 are legitimately configured for their specific use cases (tests, examples, read-only operations).

AI generated by Q

• expires on Feb 6, 2026, 1:53 PM UTC

---

[!NOTE]
This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available in the agent-artifacts artifact in the workflow run linked above.

To apply the patch locally:

# Download the artifact from the workflow run https://github.com/github/gh-aw/actions/runs/21673890388
# (Use GitHub MCP tools if gh CLI is not available)
gh run download 21673890388 -n agent-artifacts

# The patch file will be at agent-artifacts/tmp/gh-aw/aw.patch after download
# Apply the patch
git am agent-artifacts/tmp/gh-aw/aw.patch

Show patch (36 lines)

From ead6ccf98a11b5f331724d222bda72d095f5ecfb Mon Sep 17 00:00:00 2001
From: Q Workflow Optimizer...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes github/gh-aw#13738

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for you](https://github.com/github/gh-aw/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot notion.md exposes a custom job