fix: use neutral policy language in SAFE_XPIA_CONTENT to stop OpenAI cybersecurity filter#1495
Merged
lpcox merged 1 commit intocopilot/fix-gh-host-proxy-passthroughfrom Mar 29, 2026
Conversation
Replace cybersecurity-triggering content (was using <security> tag, 'network access controls', 'circumventing', 'authentication tokens', 'sandboxed environment') with neutral operational policy language using a <policy> tag. These terms triggered OpenAI's cyber_policy_violation filter, causing Smoke Codex to fail with 'temporarily limited for potentially suspicious activity related to cybersecurity'. Also add xpiaSafeBlockRegex so the postprocess script is idempotent when SAFE_XPIA_CONTENT changes (can update already-replaced blocks without requiring a full recompile from .md source). Regenerated smoke-codex.lock.yml and secret-digger-codex.lock.yml.
Copilot created this pull request from a session on behalf of
lpcox
March 29, 2026 16:32
View session
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Codex/OpenAI smoke workflow prompt post-processing to use more neutral, policy-style language in the inline XPIA block, aiming to avoid OpenAI’s cybersecurity content filter while keeping the same “stay within constraints” intent.
Changes:
- Reworded
SAFE_XPIA_CONTENT(e.g.,<security>→<policy>and replaced several terms) to avoid known filter-triggering phrases. - Made the postprocess step idempotent by detecting and updating an existing
GH_AW_XPIA_SAFE_EOFheredoc block in-place. - Regenerated the affected Codex lock workflows to embed the updated inline policy content.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| scripts/ci/postprocess-smoke-workflows.ts | Updates the safe inline XPIA policy text and adds an idempotent rewrite path via xpiaSafeBlockRegex + buildXpiaHeredoc(). |
| .github/workflows/smoke-codex.lock.yml | Refreshes the embedded inline XPIA heredoc content to the new neutral <policy> wording. |
| .github/workflows/secret-digger-codex.lock.yml | Refreshes the embedded inline XPIA heredoc content to the new neutral <policy> wording (including the append-to-prompt variant). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
lpcox
added a commit
that referenced
this pull request
Mar 29, 2026
…akage (#1493) * fix: always derive GH_HOST from GITHUB_SERVER_URL to prevent proxy leakage When --env-all passes through a proxy-rewritten GH_HOST (e.g. localhost:18443 from DIFC proxy), gh CLI fails with "none of the git remotes correspond to GH_HOST". Fix by always deriving GH_HOST from GITHUB_SERVER_URL (the canonical source injected by the Actions runner) instead of preserving leaked proxy values. For GHES/GHEC: overrides any leaked value with the correct hostname. For github.com: deletes any leaked GH_HOST so gh CLI uses its default. Closes #1492 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: replace xpia.md with safe inline policy to prevent cyber_policy_violation in Codex workflows (#1494) * Initial plan * fix: replace xpia.md with safe inline policy to fix cyber_policy_violation * fix: address code review feedback on xpia.md replacement logic Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/ecbda070-c667-4859-8ca2-8b15dee1e0a2 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> * fix: use neutral policy language in SAFE_XPIA_CONTENT (#1495) Replace cybersecurity-triggering content (was using <security> tag, 'network access controls', 'circumventing', 'authentication tokens', 'sandboxed environment') with neutral operational policy language using a <policy> tag. These terms triggered OpenAI's cyber_policy_violation filter, causing Smoke Codex to fail with 'temporarily limited for potentially suspicious activity related to cybersecurity'. Also add xpiaSafeBlockRegex so the postprocess script is idempotent when SAFE_XPIA_CONTENT changes (can update already-replaced blocks without requiring a full recompile from .md source). Regenerated smoke-codex.lock.yml and secret-digger-codex.lock.yml. Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> * fix: clarify GH_HOST comment and fix misleading debug log message Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/6467baff-1e02-4ac7-ba24-841bc7081226 * chore: fix npm audit vulnerabilities (handlebars, brace-expansion) Run npm audit fix to resolve: - handlebars 4.0.0-4.7.8: critical (JS injection, prototype pollution) - brace-expansion 4.0.0-5.0.4: moderate (DoS via zero-step sequence) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve CodeQL file-system-race in postprocess script Remove existsSync guard before readFileSync to eliminate TOCTOU race condition (js/file-system-race). Use try/catch on readFileSync instead, which atomically handles missing files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
This was referenced Mar 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root Cause Analysis
The Smoke Codex GitHub Actions workflow (job ID 69076276664) has been failing since March 28, 2026 with:
PR #1493 (
copilot/fix-gh-host-proxy-passthrough) included a previous fix (from PR #1494) that replacedxpia.md(which contained offensive security terminology like "container escape", "DNS/ICMP tunneling", "port scanning") with aSAFE_XPIA_CONTENTinline policy. However, the replacement text itself still contained phrases that trigger OpenAI'scyber_policy_violationfilter:<security>XML tagThe fix was incomplete — it replaced one set of triggering terms but the replacement used different triggering terms.
Changes
scripts/ci/postprocess-smoke-workflows.tsSAFE_XPIA_CONTENTto use fully neutral operational language:<security>→<policy>tagxpiaSafeBlockRegexto match already-replacedGH_AW_XPIA_SAFE_EOFblocks, making the postprocess script idempotent whenSAFE_XPIA_CONTENTchangesbuildXpiaHeredoc()helper to reduce duplication.github/workflows/smoke-codex.lock.ymlRegenerated with new neutral
<policy>content..github/workflows/secret-digger-codex.lock.ymlRegenerated with new neutral
<policy>content.CodeQL Analysis Investigation
The failing
CodeQLcheck (ID 69076316442, completed in ~2 seconds) is a GitHub code scanning alert status check, NOT from thecodeql.ymlworkflow run. The actualcodeql.ymlworkflow scan for PR #1493 (run23713266287) completed withconclusion: success. The 2-second check represents pre-existing code scanning alert state and is unrelated to the changes in this PR.Testing