[WIP] Fix failing GitHub Actions workflow agent#1484
[WIP] Fix failing GitHub Actions workflow agent#1484lpcox merged 2 commits intocopilot/fix-one-shot-token-listfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the smoke-workflow postprocessing so generated *.lock.yml workflows reliably replace AWF binary install steps with local build steps, even after gh-aw’s install path changed to ${RUNNER_TEMP}/gh-aw.
Changes:
- Expand
postprocess-smoke-workflows.tsregex to match both/opt/gh-aw/...and${RUNNER_TEMP}/gh-aw/...install paths. - Replace all matching “Install AWF binary” steps (instead of requiring exactly one match) and improve logging.
- Regenerate
smoke-codex.lock.ymlto includenpm ci/npm run buildand a locally installedawfwrapper script.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| scripts/ci/postprocess-smoke-workflows.ts | Broadens install-step matching and applies replacement to multiple matches. |
| .github/workflows/smoke-codex.lock.yml | Switches AWF install to local build steps (npm build + wrapper install). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Install awf dependencies | ||
| run: npm ci | ||
| - name: Build awf | ||
| run: npm run build |
There was a problem hiding this comment.
In the detection job, these newly injected local build steps run npm ci / npm run build but the job never checks out the repository, so package.json/tsconfig.json/src won’t exist in $GITHUB_WORKSPACE and the build will fail. Add an actions/checkout (and ensure it checks out the same ref/PR branch as the agent job) before the Node/npm steps, or change the postprocess logic so only jobs with a checkout get the local-build replacement.
| // Replace "Install awf binary" step with local build steps | ||
| const matches = content.match(installStepRegexGlobal); | ||
| if (matches) { | ||
| if (matches.length !== 1) { | ||
| throw new Error( | ||
| `Expected exactly one awf install step in ${workflowPath}, found ${matches.length}. ` + | ||
| 'Ensure the workflow has a single "Install awf binary" step in the agent job.' | ||
| ); | ||
| } | ||
| content = content.replace( | ||
| installStepRegexGlobal, | ||
| (_match, indent: string) => buildLocalInstallSteps(indent) | ||
| ); | ||
| modified = true; | ||
| console.log(` Replaced awf install step with local build`); | ||
| console.log(` Replaced ${matches.length} awf install step(s) with local build`); |
There was a problem hiding this comment.
Dropping the matches.length !== 1 guard means this will blindly replace every matching install step, even in jobs that don’t have a repo checkout / Node toolchain. In this PR it results in smoke-codex.lock.yml’s detection job getting npm ci/npm run build without any actions/checkout. Consider reintroducing validation per-match (e.g., ensure the surrounding job contains a checkout step) and/or teach buildLocalInstallSteps injection to also add a checkout step when needed, so the postprocess script can’t generate broken workflows.
See below for a potential fix:
if (matches.length === 1) {
content = content.replace(
installStepRegexGlobal,
(_match, indent: string) => buildLocalInstallSteps(indent)
);
modified = true;
console.log(` Replaced ${matches.length} awf install step(s) with local build`);
} else {
console.warn(
` Skipping awf install step replacement: expected exactly 1 match, found ${matches.length}`
);
}
…passthrough (#1482) * Initial plan * feat: add --exclude-env flag to exclude vars from --env-all passthrough Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/378a3ff5-6143-43d0-ad80-8d2866c010d5 * test: add GITHUB_TOKEN exclusion test for excludeEnv with envAll Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/378a3ff5-6143-43d0-ad80-8d2866c010d5 * fix: recompile smoke-codex workflow with gh-aw v0.64.2 to unblock github.com (#1483) * Initial plan * fix: recompile smoke-codex with gh-aw v0.64.2 to add github.com to allowed domains --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> * [WIP] Fix failing GitHub Actions workflow agent (#1484) * Initial plan * fix: postprocess regex to match gh-aw v0.64.2 install path Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/2fc9b7aa-85e8-4db2-99c3-53b5e7c5c9b9 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
postprocess-smoke-workflows.tsregex didn't match new gh-aw v0.64.2 path format (${RUNNER_TEMP}/gh-aw/instead of/opt/gh-aw/), causing smoke-codex to use the release binary which lacks Docker build context for--build-localpostprocess-smoke-workflows.tsregex to match both old and new path formatssmoke-codex.lock.ymlwith local build stepsnpm run buildsucceeds on current branchOriginal prompt
🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.