Skip to content

Keep mgmt-review agent job alive despite gh-aw checkout bug (gh-aw#30791)#39247

Open
JialinHuang803 wants to merge 1 commit into
Azure:mainfrom
JialinHuang803:jialinhuang/mgmt-review-checkout-pr-stopgap
Open

Keep mgmt-review agent job alive despite gh-aw checkout bug (gh-aw#30791)#39247
JialinHuang803 wants to merge 1 commit into
Azure:mainfrom
JialinHuang803:jialinhuang/mgmt-review-checkout-pr-stopgap

Conversation

@JialinHuang803

@JialinHuang803 JialinHuang803 commented Jul 13, 2026

Copy link
Copy Markdown
Member

What & why

The mgmt-review agent job currently fails before the review runs. gh-aw emits a Checkout PR branch step even when the workflow sets checkout: false; with no actions/checkout having run there is no .git, so the step aborts with fatal: not a git repository (git exit 128), which aborts the whole agent job (e.g. run 28997043740).

This is upstream gh-aw bug github/gh-aw#30791 (still open).

checkout: false is the correct, secure setting here: the agent reads the PR entirely through the GitHub MCP and needs no local clone. Removing checkout: false would "fix" the failure only by re-enabling an insecure fork-code checkout under pull_request_target (a "pwn request" — the gh-aw compiler explicitly warns against it).

Changes

  • mgmt-review.lock.yml — re-apply continue-on-error: true to the generated Checkout PR branch step so the phantom helper stays non-fatal. checkout: false is kept (no fork code on disk). Only the .lock.yml is touched (not the .md), so the timestamp-based stale-lock check stays green.
  • eng/scripts/verify-agentic-checkout-guard.ps1 (new) — guard that fails if mgmt-review.lock.yml's Checkout PR branch step loses continue-on-error: true. Because *.lock.yml are compiled artifacts, a gh-aw recompile/upgrade silently drops the line — the guard catches that regression.
  • verify-agentic-checkout-guard.yml (new) — runs the guard on PRs touching mgmt-review's files or the guard itself.

Scoped to mgmt-review only.

Follow-up

Remove the continue-on-error line and this guard once gh-aw fixes #30791 and the workflow is recompiled against the fix.

Copilot AI review requested due to automatic review settings July 13, 2026 05:24

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a temporary, guarded workaround for gh-aw#30791 so mgmt-review can run securely with checkout disabled.

Changes:

  • Makes the erroneous checkout step non-fatal.
  • Adds a PowerShell regression guard.
  • Runs the guard when relevant files change.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
.github/workflows/mgmt-review.lock.yml Applies the temporary tolerance.
eng/scripts/verify-agentic-checkout-guard.ps1 Validates the workaround remains intact.
.github/workflows/verify-agentic-checkout-guard.yml Runs validation on relevant PRs.

gh-aw emits a "Checkout PR branch" step even when `checkout: false` is set,
so it fails with "not a git repository" and aborts the whole mgmt-review agent
job. The agent reads the PR via GitHub MCP and needs no local checkout, so
`checkout: false` is the correct, secure setting; removing it would re-enable
an insecure fork-code checkout under pull_request_target ("pwn request").

- Re-apply `continue-on-error: true` to the generated Checkout PR branch step.
- Add eng/scripts/verify-agentic-checkout-guard.ps1 + a CI workflow so a future
  gh-aw recompile cannot silently drop the stopgap again.

Remove once gh-aw fixes github/gh-aw#30791.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 0c46d563-c393-41c2-80a6-a1da96764ba6
@JialinHuang803 JialinHuang803 force-pushed the jialinhuang/mgmt-review-checkout-pr-stopgap branch from 7d19065 to 0ac3017 Compare July 13, 2026 05:31
@JialinHuang803 JialinHuang803 changed the title [engsys] Keep mgmt-review agent job alive despite gh-aw checkout bug (gh-aw#30791) Keep mgmt-review agent job alive despite gh-aw checkout bug (gh-aw#30791) Jul 13, 2026
@JialinHuang803

JialinHuang803 commented Jul 13, 2026

Copy link
Copy Markdown
Member Author

@xirzec @jeremymeng this PR is to fix the mgmt-review agent which is currently failing by adding continue-on-error to the lock file. Since lock files are recompiled on every gh-aw upgrade, that line gets silently wiped (which is exactly how this broke before). I added a new guard workflow as a CI check that fails if the continue-on-error ever disappears, so a future recompile can't quietly re-break the mgmt-review workflow. Do you think this is an appropriate way to work around this?

@jeremymeng

Copy link
Copy Markdown
Member

by adding continue-on-error to the lock file. Since lock files are recompiled on every gh-aw upgrade, that line gets silently wiped (which is exactly how this broke before).

This is unfortunate. We have to manually fix the lock file every time we recompile the workflow?

@JialinHuang803

Copy link
Copy Markdown
Member Author

I think so. I haven't come up with a better way to make the workflow succeed with the checkout: false there. Or we can temporally remove the checkout: false, but this is insecure and will get a warning when compiling.

@jeremymeng jeremymeng left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am fine with temporary workaround before the gh-aw issue is fixed. @mikeharder @benbp any concerns in adding this GitHub workflow?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants