Fix gh aw add auth failure for public repos in agentic workflows#19853
Fix gh aw add auth failure for public repos in agentic workflows#19853
gh aw add auth failure for public repos in agentic workflows#19853Conversation
…kflows - Fall back to git-based download when api.DefaultRESTClient() fails due to missing auth - Handle auth failure in resolveRemoteSymlinks gracefully (skip rather than hard fail) - Skip caching (not fail) when SHA resolution fails with auth error in downloadIncludeFromWorkflowSpec - Add 'saml enforcement' keyword to IsAuthError for SAML org enforcement errors Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
gh aw add auth failure for public repos in agentic workflows
|
@copilot add integration to test the unauthenticaged scenario specifically, in ci.yml |
- Add TestAddPublicWorkflowUnauthenticated in pkg/cli/add_integration_test.go - Add TestDownloadFileFromGitHubUnauthenticated in pkg/parser/remote_fetch_integration_test.go - Add integration-unauthenticated-add CI job in .github/workflows/ci.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Added in e67872d:
|
There was a problem hiding this comment.
Pull request overview
Fixes unauthenticated failures when resolving/downloading remote workflow imports in agentic workflows by falling back to git-based fetches when GitHub REST client creation fails due to missing auth.
Changes:
- Add git fallback when
api.DefaultRESTClient()fails during remote file download; relax SHA-resolution errors to only disable caching. - Make symlink-resolution gracefully skippable on REST client auth failures.
- Extend auth-error detection to include SAML enforcement cases.
- Add integration tests + CI job to gate the unauthenticated public-repo scenario.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
pkg/parser/remote_fetch.go |
Adds auth-error fallback to git when REST client creation fails; avoids failing include downloads on SHA-resolution auth errors; softens symlink resolution failures. |
pkg/gitutil/gitutil.go |
Expands IsAuthError matching to include SAML enforcement messages. |
pkg/parser/remote_fetch_integration_test.go |
Adds integration test for unauthenticated downloadFileFromGitHub behavior. |
pkg/cli/add_integration_test.go |
Adds end-to-end integration test for gh aw add against a public repo with tokens removed. |
.github/workflows/ci.yml |
Adds a dedicated CI job to run the new unauthenticated integration tests. |
Comments suppressed due to low confidence (2)
pkg/parser/remote_fetch_integration_test.go:294
- This test claims to validate the unauthenticated git-fallback path, but it will also pass when
api.DefaultRESTClient()succeeds (e.g., via a localghconfig token), which means it may not actually exercise the fallback behavior on developer machines. Consider asserting that REST client creation fails after clearing env vars (andt.Skipif it doesn’t) so the test deterministically covers the intended unauthenticated scenario.
content, err := downloadFileFromGitHub(owner, repo, path, ref)
// If the REST client unexpectedly succeeds (e.g., gh config file has a token),
// that is also fine – the point is that the file is returned without error.
if err != nil {
.github/workflows/ci.yml:2356
- The artifact file is named
test-result-integration-unauthenticated.json, but the command does not pass-jsontogo test, so the output won’t be JSON (unlike the existing unit-test step which uses-json). Either add-jsonor rename the artifact to a.txt/.logto avoid confusing downstream tooling and readers.
go test -v -parallel=4 -timeout=10m -tags 'integration' \
-run 'TestAddPublicWorkflowUnauthenticated|TestDownloadFileFromGitHubUnauthenticated' \
./pkg/cli/ ./pkg/parser/ \
| tee test-result-integration-unauthenticated.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| run: | | ||
| go test -v -parallel=4 -timeout=10m -tags 'integration' \ | ||
| -run 'TestAddPublicWorkflowUnauthenticated|TestDownloadFileFromGitHubUnauthenticated' \ | ||
| ./pkg/cli/ ./pkg/parser/ \ | ||
| | tee test-result-integration-unauthenticated.json | ||
|
|
There was a problem hiding this comment.
This step pipes go test into tee without set -o pipefail (or an explicit ${PIPESTATUS[0]} check). In bash, that can cause the step to succeed even when tests fail, making this CI gate unreliable. Add set -o pipefail (and ideally -json if you intend to upload JSON results) or otherwise ensure the go test exit code is propagated.
This issue also appears on line 2352 of the same file.
|
@copilot investigate https://github.com/github/gh-aw/actions/runs/22764373245/job/66029161849 Consider using raw url as well to fetch sources. |
…r skip, pipefail - Add downloadFileViaRawURL (raw.githubusercontent.com) as first no-auth fallback - Use 30s HTTP timeout to prevent indefinite hangs - Fix TestAddPublicWorkflowUnauthenticated to use githubnext/agentics/poem-bot@main - Fix TestDownloadFileFromGitHubUnauthenticated skip condition (avoid matching "gitignore") - Add set -o pipefail and -json flag to CI unauthenticated test step Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
The CI failure was caused by two issues, both fixed in 1603643:
Also addressed the code-review issues: narrowed the skip condition in the test (no longer matches "gitignore") and added |
…hat exists The previous fix used githubnext/agentics/poem-bot@main which failed because: 1. The githubnext org has SAML enforcement (raw URL blocked) 2. The file workflows/poem-bot.md doesn't exist in that repo Switch to github/gh-aw/.github/workflows/github-mcp-tools-report.md@v0.45.5: - File is confirmed accessible via raw.githubusercontent.com (HTTP 200) - github org allows unauthenticated raw access for public repos Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
The failure was caused by Fixed in 35ae206: switched to |
|
@copilot investigate failures in https://github.com/github/gh-aw/actions/runs/22768588176/job/66062811806 |
When api.DefaultRESTClient() fails with auth error and the git fallback also fails (e.g., in CI with no GH_TOKEN and git also can't authenticate), return the original auth error instead of the git error. This preserves the "authentication token not found" message in the error, allowing pre-existing tests (TestDownloadFileFromGitHubInvalidRepo, TestDownloadFileFromGitHubInvalidPath, TestDownloadFileFromGitHubSymlinkRoute) to detect the auth condition and skip - the same behavior as before the fallback was added. The raw URL path that makes TestAddPublicWorkflowUnauthenticated work is unaffected: when raw URL succeeds (HTTP 200), gitErr is nil and the content is returned normally. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Three pre-existing tests were failing in the standard integration job because it has no
Root cause: when Fixed in 5c00710: when both the REST client (auth error) and the git fallback fail, return the original auth error instead of the git error. This preserves |
downloadFileFromGitHubWithDepth- fall back to git/raw-URL when REST client creation fails with auth errorresolveRemoteSymlinks- gracefully handle auth failure inapi.DefaultRESTClient()downloadIncludeFromWorkflowSpec- skip caching instead of failing when SHA resolution fails with auth errorIsAuthErrordownloadFileViaRawURLusingraw.githubusercontent.comas first unauthenticated fallback (no git required, 30s timeout)TestAddPublicWorkflowUnauthenticatedintegration test — usesgithub/gh-aw/.github/workflows/github-mcp-tools-report.md@v0.45.5(confirmed accessible without auth)TestDownloadFileFromGitHubUnauthenticatedintegration test (precise skip conditions)integration-unauthenticated-addCI job withset -o pipefailand-jsonflag✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.