Use workflow-id instead of runId for stable island identification

[Copilot]

The replace-island operation in updateBody was using context.runId for island markers, causing each workflow run to create new islands instead of updating existing ones. The identifier must be stable across runs to enable content replacement.

Changes

• Island marker identification: Changed from numeric runId to string workflow-id (derived from workflow markdown filename)

  • buildIslandStartMarker(workflowId) and buildIslandEndMarker(workflowId) now use workflow-id
  • findIsland(body, workflowId) searches by stable identifier
  • updateBody() accepts workflowId parameter instead of runId

• Callers updated: update_issue.cjs, update_pull_request.cjs, update_release.cjs now pass process.env.GH_AW_WORKFLOW_ID

Example

Before (unstable):

<!-- gh-aw-island-start:12345 -->
Content from run 12345
<!-- gh-aw-island-end:12345 -->

<!-- Second run creates new island -->
<!-- gh-aw-island-start:67890 -->
Content from run 67890
<!-- gh-aw-island-end:67890 -->

After (stable):

<!-- gh-aw-island-start:my-workflow -->
Content from run 2 (replaced content from run 1)
<!-- gh-aw-island-end:my-workflow -->

Multiple runs now update the same island section instead of appending new ones.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Changeset

• Type: patch
• Description: Island markers now use the stable workflow-id so repeated runs update a single island instead of appending new sections.

Generated by Changeset Generator

[jobayertangail92-hub]

@copilot

[pelikhan]

@copilot review work, add tests

[github-actions]

✅ Changeset Generator completed successfully!

[github-actions]

🧪 Smoke Project is now testing project operations...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.52.0
jq	✅	1.7
yq	✅	4.52.2
curl	✅	8.5.0
gh	✅	2.86.0
node	✅	20.20.0
python3	✅	3.12.3
go	✅	1.24.13
java	✅	21.0.10
dotnet	✅	10.0.102

Result: 12/12 tools available ✅ PASS

AI generated by Agent Container Smoke Test

[github-actions]

✅ Smoke Project completed successfully. All project operations validated.

[github-actions]

Smoke Test Results - Run 21957895205

✅ GitHub MCP
✅ Safe Inputs GH CLI
❌ Serena MCP
✅ Playwright
✅ File Writing
✅ Bash Tool
✅ Discussion Interaction
✅ Build gh-aw
✅ Workflow Dispatch

Overall: PASS (8/9)

PRs: #15211, #15210

cc @pelikhan @Copilot

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

PR titles: Prevent workflow command injection in core.info() logging; Fix slide-deck-maintainer: require explicit safe output tool calls
GitHub MCP (2 merged PRs): ✅
Serena activate + find_symbol (>=3): ✅
Playwright title contains GitHub: ✅
File write + cat verify: ✅
Build make build: ✅
Overall: PASS

AI generated by Smoke Codex

[Copilot]

Pull request overview

Updates replace-island body updates to use a stable workflow identifier instead of context.runId, so repeated workflow runs replace a single existing “island” section rather than appending new ones.

Changes:

• Switched island marker construction/searching from runId to workflowId
• Updated action entrypoints to pass GH_AW_WORKFLOW_ID into updateBody
• Refreshed unit tests and fuzz harness inputs to use workflowId

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
actions/setup/js/update_pr_description_helpers.cjs	Use workflowId for island marker generation and lookup in replace-island.
actions/setup/js/update_pr_description_helpers.test.cjs	Update helper tests to assert markers/search use workflowId.
actions/setup/js/update_issue.cjs	Pass workflowId (from GH_AW_WORKFLOW_ID) into updateBody.
actions/setup/js/update_issue.test.cjs	Update issue update tests to expect workflow-id based island markers.
actions/setup/js/update_pull_request.cjs	Pass workflowId (from GH_AW_WORKFLOW_ID) into updateBody.
actions/setup/js/update_release.cjs	Pass workflowId (from GH_AW_WORKFLOW_ID) into updateBody.
actions/setup/js/fuzz_update_body_harness.cjs	Switch fuzz harness params/input from runId to workflowId.
.changeset/patch-stable-island-markers.md	Add changeset entry documenting the patch behavior change.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

replace-island now fully depends on workflowId, but nothing here enforces that it’s non-empty. If callers pass \"\" (which they currently do as a default), all workflows without GH_AW_WORKFLOW_ID will share the same markers (<!-- gh-aw-island-start: -->), causing unrelated runs/workflows to overwrite each other’s islands. Consider failing fast for replace-island when workflowId is falsy (with an actionable message), or deriving a stable fallback identifier instead of allowing the empty string.

[Copilot]

replace-island now fully depends on workflowId, but nothing here enforces that it’s non-empty. If callers pass \"\" (which they currently do as a default), all workflows without GH_AW_WORKFLOW_ID will share the same markers (<!-- gh-aw-island-start: -->), causing unrelated runs/workflows to overwrite each other’s islands. Consider failing fast for replace-island when workflowId is falsy (with an actionable message), or deriving a stable fallback identifier instead of allowing the empty string.

Suggested change

	if (operation === "replace-island") {
	if (operation === "replace-island") {
	if (!workflowId) {
	throw new Error(
	"updateBody: 'workflowId' must be a non-empty string for 'replace-island' operation. " +
	"Set GH_AW_WORKFLOW_ID or pass a stable workflowId value."
	);
	}

[Copilot]

workflowId is interpolated directly into an HTML comment marker. If it contains -->, newlines, or other unexpected characters, it can break marker structure and potentially enable marker spoofing/injection in the body. Recommend sanitizing/normalizing workflowId to a safe character set (and trimming) before building markers (e.g., restrict to [A-Za-z0-9._-] and replace others), and documenting the allowed format.

[Copilot]

workflowId is interpolated directly into an HTML comment marker. If it contains -->, newlines, or other unexpected characters, it can break marker structure and potentially enable marker spoofing/injection in the body. Recommend sanitizing/normalizing workflowId to a safe character set (and trimming) before building markers (e.g., restrict to [A-Za-z0-9._-] and replace others), and documenting the allowed format.

[Copilot]

There are good updates to move tests to workflowId, but the riskier new behaviors aren’t covered: (1) workflowId being empty/undefined (especially for replace-island) and (2) workflowId containing unsafe characters (e.g., whitespace, newlines, or -->). Add tests that assert the chosen behavior (throw, fallback, or sanitization) so marker stability/correctness doesn’t regress.