Fix gh-aw upgrade properly: bump to v0.74.4 and set push-signed-commits: false

[mrjf]

Context

PR #325 was titled "upgrade gh-aw to v0.74.4" but only landed v0.74.1 → v0.74.2. v0.74.2 is the version that introduced the strict push refusal that broke evergreen — it is not the fix.

Failed run after the merge: https://github.com/githubnext/tsb/actions/runs/26044208725

Error:

pushSignedCommits: refusing unsigned push for branch 'autoloop/tsb-perf-evolve':
merge commit detected. GitHub's createCommitOnBranch GraphQL mutation cannot
represent merge commits... or set push-signed-commits: false if the repository
does not require signed commits.

Root cause

autoloop/tsb-perf-evolve contains merge commit abf504e ("Merge pull request #322 from githubnext/autoloop/perf-comparison"). Two push transports, both blocked:

1. Signed push (GraphQL createCommitOnBranch) — fundamentally cannot represent merge commits (multiple parents). Not fixable in gh-aw.
2. Unsigned push fallback — refused by v0.74.2's PushSignedCommitsUnsupportedShape check (gh-aw #31876).

The option to opt into the unsigned fallback (push-signed-commits: false) was added in v0.74.3 (gh-aw #32271). v0.74.2 has no such option, so the message in the error is misleading on that version.

What needs to be done — exact steps

1. Re-bump gh-aw-actions/setup to v0.74.4 across all lock files.

Files to update:

• .github/workflows/autoloop.lock.yml
• .github/workflows/evergreen.lock.yml
• .github/workflows/ci-doctor.lock.yml
• .github/aw/actions-lock.json

Change every:

github/gh-aw-actions/setup@23453ecc01928d28ee1e773e403b216b29e89a5b # v0.74.2

to:

github/gh-aw-actions/setup@069305b523ecd7fbd05c5681a049b570b1fe6136 # v0.74.4

And update the compiler_version metadata banner in each .lock.yml from v0.74.2 to v0.74.4.

Easiest path: install the gh-aw CLI v0.74.4 locally and run gh aw compile — do not hand-edit the lock files.

2. Add push-signed-commits: false to the safe-outputs block in every workflow source that uses push_to_pull_request_branch.

In .github/workflows/autoloop.md (and evergreen / ci-doctor if they also push), under safe-outputs::

safe-outputs:
  push-signed-commits: false   # add this
  push_to_pull_request_branch:
    ...

This is the option the error message tells you to set. It only takes effect from v0.74.3+, which is why step 1 is required first.

3. Confirm tsb's PR branches do not have a "Require signed commits" ruleset.

Check Settings → Rules → Rulesets and Settings → Branches. If signed commits are required on autoloop/* or main, step 2 will not work and we need to do step 4 instead.

4. (Recommended regardless) Switch the agent's main-sync from merge to rebase.

The real underlying problem is that the agent creates merge commits on the PR branch when syncing main. Wherever the autoloop workflow does git merge main (or git pull without --rebase) to keep the branch current, change it to git pull --rebase origin main (or git fetch && git rebase origin/main). This eliminates merge commits entirely and removes the dependency on push-signed-commits: false.

Verification

After landing the fix:

• grep -r "v0.74" .github/ should show only v0.74.4.
• grep -r "push-signed-commits: false" .github/workflows/*.md should match in any workflow that does push_to_pull_request_branch.
• Re-run the evergreen workflow and confirm safe_outputs succeeds against a branch with a merge commit (or, if step 4 is taken, against any agent-produced branch).

Why PR #325 didn't work

• It bumped to the wrong version (v0.74.2 instead of v0.74.4).
• Even at v0.74.3+, it did not add push-signed-commits: false to the workflow source — the version bump alone has no effect because v0.74.3 only adds the option, it doesn't change the default.