Skip to content

Commit 1e11f8b

Browse files
github-actions[bot]github-actions[bot]
authored
docs: document needs: ordering for custom safe-output jobs (#23503)
1 parent 7569f8a commit 1e11f8b

File tree

1 file changed

+30
-0
lines changed

1 file changed

+30
-0
lines changed

docs/src/content/docs/reference/custom-safe-outputs.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -226,11 +226,41 @@ The agent uses read-only tools to query, then calls the safe-job which executes
226226
| `inputs` | object | Yes | Tool parameters (see [Input Types](#input-types)) |
227227
| `steps` | array | Yes | GitHub Actions steps to execute |
228228
| `output` | string | No | Success message returned to the agent |
229+
| `needs` | string or array | No | Jobs that must complete before this job runs (see [Job Ordering](#job-ordering-needs)) |
229230
| `permissions` | object | No | GitHub token permissions for the job |
230231
| `env` | object | No | Environment variables for all steps |
231232
| `if` | string | No | Conditional execution expression |
232233
| `timeout-minutes` | number | No | Maximum job duration (GitHub Actions default: 360) |
233234

235+
### Job Ordering (`needs:`)
236+
237+
Use `needs:` to sequence a custom safe-output job relative to other jobs in the compiled workflow. Unlike manually patching `needs:` in the lock file (which gets overwritten on every recompile), `needs:` declared in the frontmatter persists across recompiles.
238+
239+
```yaml wrap
240+
safe-outputs:
241+
create-issue: {}
242+
jobs:
243+
post-process:
244+
needs: safe_outputs # runs after the consolidated safe-outputs job
245+
steps:
246+
- run: echo "post-processing"
247+
```
248+
249+
The compiler validates each `needs:` entry at compile time and fails with a clear error if the target does not exist. Target names with dashes are automatically normalized to underscores (e.g., `safe-outputs` → `safe_outputs`).
250+
251+
Valid `needs:` targets for custom safe-jobs:
252+
253+
| Target | Available when |
254+
|--------|---------------|
255+
| `agent` | Always |
256+
| `safe_outputs` | At least one builtin handler, script, action, or user step is configured |
257+
| `detection` | Threat detection is enabled |
258+
| `upload_assets` | `upload-asset` is configured |
259+
| `unlock` | `lock-for-agent` is enabled |
260+
| `<job-name>` | That job exists in `safe-outputs.jobs` |
261+
262+
Self-dependencies and cycles between custom jobs are also caught at compile time.
263+
234264
### Input Types
235265

236266
All jobs must define `inputs`:

0 commit comments

Comments
 (0)