[aw-compat] Cross-repo compilation audit 2026-06-12 — 1 codemod gap (max-effective-tokens: -1 skipped)

[github-actions]

Summary

Daily cross-repo compilation audit of the top 20 public repositories (by stars) that ship gh-aw-generated *.lock.yml workflows, compiled against the latest local build (gh aw version 07acf6c).

• Repos validated: 20 / 20 cloned
• Clean: 14 ✅
• Healed by gh aw fix --write: 4 🛠️
• Real failure (default + strict): 1 ❌
• Strict-only failure (passes default mode): 1 ⚠️ (by design)
• Discovery: cached-pool fallback — GitHub code search returned HTTP 429 (consistent with prior runs)

After gh aw fix --write, only 2 repos still fail strict compilation, and only 1 fails the default (non-strict) compile — a single, precisely-diagnosed codemod gap.

Critical finding — max-effective-tokens: -1 is not migrated (real failure)

dotnet/maui fails in both default and strict modes (gh aw fix does not heal it):

.github/workflows/ci-status-main.md:43:1: error: Unknown property: max-effective-tokens.
43 | max-effective-tokens: -1
     ^^^^^^^^^^^^^^^^^^^^

Affected files: ci-status-main.md, ci-status-net11.md.

Root cause (confirmed in source): The effective-tokens-to-ai-credits codemod (pkg/cli/codemod_effective_tokens_to_ai_credits.go) migrates max-effective-tokens → max-ai-credits, but skips the -1 "unlimited" sentinel for this field. The asymmetry is in how normalizeLegacyBudgetValue is called:

// line 41 — max-effective-tokens
if normalized, ok := normalizeLegacyBudgetValue(raw, false); ok { ... }   // allowNegativeOne = false
// line 52 — max-daily-effective-tokens
if normalized, ok := normalizeLegacyBudgetValue(raw, true); ok { ... }    // allowNegativeOne = true

For -1, normalizeLegacyBudgetValue only returns a value when allowNegativeOne is true. So max-daily-effective-tokens: -1 migrates, but max-effective-tokens: -1 is left untouched and then rejected as an unknown property.

This is the only thing skipped — positive values migrate fine. dotnet/aspnetcore had max-effective-tokens: <positive> in test-quarantine.md and was healed cleanly by the same codemod this run. Only the -1 sentinel is the gap.

Suggested fix (one line): Pass true for max-effective-tokens on line 41, symmetric with line 52, so max-effective-tokens: -1 → max-ai-credits: -1. This target is valid and documented — the schema for max-ai-credits states: "Set to -1 to disable both budget enforcement and token steering."

Note: this gap appears in 1 repo this run, below the 2-repo threshold for a dedicated missing-codemod issue, so it is reported here. It has recurred across the 2026-06-08/09/11 runs.

Strict-only failure (by design, not a bug)

Azure/azure-rest-api-specs → sdk-generation-agent.md passes the default compile but is rejected under --strict:

error: strict mode: secrets detected in 'env' section will be leaked to the agent container.
Found: ${{ secrets.GITHUB_PERSONAL_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}

This is the intended strict-mode security guardrail. Remediation is to move the secret into engine-specific secret configuration. Not auto-fixable and not a regression.

Repos healed by gh aw fix --write (4)

Repo	Pre-fix error	Codemod that healed it
storybookjs/storybook	tools.serena: unknown tool name	Migrate tools.serena to shared Serena import
dotnet/aspnetcore	Unknown property: max-effective-tokens (positive value)	effective-tokens-to-ai-credits
openvinotoolkit/openvino	workflow_run trigger should include branch restrictions	Add workflow_run branch restrictions
runhey/OnmyojiAutoScript	pull_request_target ... checkout enabled is extremely insecure + expires integer	Add checkout: false; convert expires integer to day string

These confirm the fix pipeline is working as intended for the common deprecations.

Full per-repo results (20)

Repo	⭐	md/lock	before	fix	after	default	verdict
f/prompts.chat	163457	1/1	0	0	0	0	clean
storybookjs/storybook	90250	4/2	1	0	0	0	healed-by-fix
moeru-ai/airi	40849	1/1	0	0	0	0	clean
dotnet/aspnetcore	38020	7/6	1	0	0	0	healed-by-fix
taosdata/TDengine	24895	2/2	0	0	0	0	clean
dotnet/maui	23264	7/7	1	0	1	1	real-failure
Z3Prover/z3	12330	24/19	0	0	0	0	clean
openvinotoolkit/openvino	10345	2/2	1	0	0	0	healed-by-fix
github/copilot-sdk	9380	11/11	0	0	0	0	clean
microsoft/aspire	6049	8/7	0	0	0	0	clean
Azure/azure-sdk-for-net	6009	3/3	0	0	0	0	clean
ReactiveX/RxPY	5015	1/1	0	0	0	0	clean
github/gh-aw	4588	343/246	0	0	0	0	clean
royshil/obs-backgroundremoval	4352	2/2	0	0	0	0	clean
TableProApp/TablePro	4342	1/1	0	0	0	0	clean
runhey/OnmyojiAutoScript	4333	12/8	1	0	0	0	healed-by-fix
dotnet/skills	3316	10/8	0	0	0	0	clean
Azure/azure-rest-api-specs	3068	4/2	1	0	1	0	strict-only
apache/cloudstack	2942	2/2	0	0	0	0	clean
Azure/azure-sdk-for-js	2292	11/11	0	0	0	0	clean

Columns = exit codes (0 = success). before/after use --strict; default is non-strict.

Recommendations

1. Close the -1 sentinel gap: in pkg/cli/codemod_effective_tokens_to_ai_credits.go:41, change normalizeLegacyBudgetValue(raw, false) → normalizeLegacyBudgetValue(raw, true) so max-effective-tokens: -1 migrates to max-ai-credits: -1 (symmetric with the daily field). This heals dotnet/maui with no schema change required.
2. No action needed for Azure/azure-rest-api-specs — strict-mode env-secret guard is working as designed.
3. Trend is stable and improving vs. recent runs (azure-sdk-for-net & dotnet/skills now clean); the effective-tokens codemod handles all positive values correctly.

Run context

• gh-aw build: 07acf6c
• Discovery: code search HTTP 429 → cached top-20 pool (verified public/non-archived from prior runs)
• Artifacts cached under aw-compat/runs/2026-06-12-10-00-11-071/ and rolling aw-compat/index/history.jsonl

References: §27408612568

Generated by 🔧 Daily AW Cross-Repo Compile Check · 329.6 AIC · ⌖ 30.9 AIC · ⊞ 6.6K · ◷

• expires on Jun 19, 2026, 2:55 AM UTC-08:00