Keep mgmt-review agent job alive despite gh-aw checkout bug (gh-aw#30791)#39247
Keep mgmt-review agent job alive despite gh-aw checkout bug (gh-aw#30791)#39247JialinHuang803 wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a temporary, guarded workaround for gh-aw#30791 so mgmt-review can run securely with checkout disabled.
Changes:
- Makes the erroneous checkout step non-fatal.
- Adds a PowerShell regression guard.
- Runs the guard when relevant files change.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/mgmt-review.lock.yml |
Applies the temporary tolerance. |
eng/scripts/verify-agentic-checkout-guard.ps1 |
Validates the workaround remains intact. |
.github/workflows/verify-agentic-checkout-guard.yml |
Runs validation on relevant PRs. |
gh-aw emits a "Checkout PR branch" step even when `checkout: false` is set,
so it fails with "not a git repository" and aborts the whole mgmt-review agent
job. The agent reads the PR via GitHub MCP and needs no local checkout, so
`checkout: false` is the correct, secure setting; removing it would re-enable
an insecure fork-code checkout under pull_request_target ("pwn request").
- Re-apply `continue-on-error: true` to the generated Checkout PR branch step.
- Add eng/scripts/verify-agentic-checkout-guard.ps1 + a CI workflow so a future
gh-aw recompile cannot silently drop the stopgap again.
Remove once gh-aw fixes github/gh-aw#30791.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 0c46d563-c393-41c2-80a6-a1da96764ba6
7d19065 to
0ac3017
Compare
|
@xirzec @jeremymeng this PR is to fix the mgmt-review agent which is currently failing by adding |
This is unfortunate. We have to manually fix the lock file every time we recompile the workflow? |
|
I think so. I haven't come up with a better way to make the workflow succeed with the |
jeremymeng
left a comment
There was a problem hiding this comment.
I am fine with temporary workaround before the gh-aw issue is fixed. @mikeharder @benbp any concerns in adding this GitHub workflow?
What & why
The
mgmt-reviewagent job currently fails before the review runs. gh-aw emits aCheckout PR branchstep even when the workflow setscheckout: false; with noactions/checkouthaving run there is no.git, so the step aborts withfatal: not a git repository(git exit 128), which aborts the whole agent job (e.g. run 28997043740).This is upstream gh-aw bug github/gh-aw#30791 (still open).
checkout: falseis the correct, secure setting here: the agent reads the PR entirely through the GitHub MCP and needs no local clone. Removingcheckout: falsewould "fix" the failure only by re-enabling an insecure fork-code checkout underpull_request_target(a "pwn request" — the gh-aw compiler explicitly warns against it).Changes
mgmt-review.lock.yml— re-applycontinue-on-error: trueto the generatedCheckout PR branchstep so the phantom helper stays non-fatal.checkout: falseis kept (no fork code on disk). Only the.lock.ymlis touched (not the.md), so the timestamp-based stale-lock check stays green.eng/scripts/verify-agentic-checkout-guard.ps1(new) — guard that fails ifmgmt-review.lock.yml'sCheckout PR branchstep losescontinue-on-error: true. Because*.lock.ymlare compiled artifacts, a gh-aw recompile/upgrade silently drops the line — the guard catches that regression.verify-agentic-checkout-guard.yml(new) — runs the guard on PRs touching mgmt-review's files or the guard itself.Scoped to
mgmt-reviewonly.Follow-up
Remove the
continue-on-errorline and this guard once gh-aw fixes #30791 and the workflow is recompiled against the fix.