Skip to content

fix: add diagnostic EACCES guard to workdir setup#5984

Merged
lpcox merged 3 commits into
mainfrom
fix/eacces-diagnostic-guard
Jul 8, 2026
Merged

fix: add diagnostic EACCES guard to workdir setup#5984
lpcox merged 3 commits into
mainfrom
fix/eacces-diagnostic-guard

Conversation

@lpcox

@lpcox lpcox commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Problem

When AWF's mkdirSync fails with EACCES (stale root-owned directories from a previous run), the raw Node.js error is opaque:

EACCES: permission denied, mkdir '/tmp/gh-aw/sandbox/firewall/logs'

This gives no indication of why it failed or how to fix it.

Solution

Wraps directory creation with a diagnostic EACCES catch that reports:

EACCES: cannot create work directory: /tmp/gh-aw/sandbox/firewall/logs
Path diagnosis:
  /tmp/gh-aw/sandbox/firewall: uid=0 gid=0 mode=755 writable=false
  └─ BLOCKED HERE: current process (uid=1001) cannot write to this directory
This typically happens on persistent runners when a previous AWF run left
directories owned by root. The calling process (e.g., gh-aw setup) must
remove or chown the stale directory before invoking AWF.
  Suggested fix: sudo rm -rf /tmp/gh-aw/sandbox/firewall && mkdir -p /tmp/gh-aw/sandbox/firewall/logs

Applied to both:

  • validateAndPrepareWorkDir() in config-writer.ts (workDir)
  • ensureDirectory() in workdir-setup.ts (all log/state directories)

Design decision

AWF intentionally does not attempt self-repair (no sudo rm, no Docker container workaround). In --network-isolation mode, AWF should not need elevated privileges. The actual fix belongs in the orchestrator (gh-aw setup action) which owns the paths and has the context to reclaim them. A companion PR will be opened in gh-aw.

Testing

  • All 3505 existing tests pass
  • Type-checks cleanly (tsc --noEmit)

Related

When mkdirSync fails with EACCES (typically caused by stale root-owned
directories from a previous AWF run), the error message now includes:

- The blocking ancestor directory path
- Its uid/gid/mode for immediate diagnosis
- The current process UID
- A clear explanation that the orchestrator must clean up stale directories
- A suggested fix command (sudo rm -rf)

This makes the failure actionable without requiring log archaeology.
The guard is applied to both validateAndPrepareWorkDir (config-writer.ts)
and ensureDirectory (workdir-setup.ts) which covers all directory creation
paths.

The actual fix for this class of failures belongs in the calling process
(e.g., gh-aw setup action) which owns the paths and has the context to
reclaim them. AWF intentionally does not attempt self-repair here because
it should not require sudo in --network-isolation mode.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 7, 2026 12:53
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 99.00% 98.41% 📉 -0.59%
Statements 98.95% 98.34% 📉 -0.61%
Functions 99.72% 99.44% 📉 -0.28%
Branches 95.44% 94.85% 📉 -0.59%
📁 Per-file Coverage Changes (2 files)
File Lines (Before → After) Statements (Before → After)
src/config-writer.ts 96.8% → 78.8% (-17.96%) 96.8% → 78.8% (-17.96%)
src/workdir-setup.ts 97.8% → 90.6% (-7.21%) 97.8% → 89.5% (-8.35%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves AWF’s developer/operator experience by adding targeted diagnostics when workdir/log/state directory creation fails with EACCES, helping users identify the blocking ancestor directory and the likely “stale root-owned directory on persistent runner” root cause.

Changes:

  • Added EACCES-specific error handling to directory creation in ensureDirectory() to surface a clearer, actionable failure message.
  • Added diagnoseEacces() path-walk diagnostics and wrapped validateAndPrepareWorkDir() to emit richer EACCES context during workdir hardening.
  • Kept the design choice to avoid self-repair and instead instruct the orchestrator to clean up stale directories.
Show a summary per file
File Description
src/workdir-setup.ts Wraps recursive mkdir with an EACCES diagnostic path-walk to identify the likely blocking ancestor directory during log/state directory setup.
src/config-writer.ts Adds diagnoseEacces() and wraps workDir creation/hardening to produce a more actionable EACCES error message.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 5
  • Review effort level: Low

Comment thread src/config-writer.ts
Comment on lines +114 to +118
`This typically happens on persistent runners when a previous AWF run ` +
`left directories owned by root. The calling process (e.g., gh-aw setup) ` +
`must remove or chown the stale directory before invoking AWF.\n` +
` Suggested fix: sudo rm -rf ${path.dirname(config.workDir)} && mkdir -p ${config.workDir}`
);
Comment thread src/config-writer.ts
Comment on lines +62 to +65
function isWritable(dirPath: string): boolean {
try {
fs.accessSync(dirPath, fs.constants.W_OK);
return true;
Comment thread src/workdir-setup.ts
Comment on lines +29 to +35
while (current !== path.dirname(current)) {
if (fs.existsSync(current)) {
try { fs.accessSync(current, fs.constants.W_OK); } catch { blocker = current; }
break;
}
current = path.dirname(current);
}
Comment thread src/workdir-setup.ts
Comment on lines +23 to +41
} catch (error: unknown) {
if (error && typeof error === 'object' && 'code' in error && error.code === 'EACCES') {
const uid = process.getuid?.() ?? '?';
// Identify the blocking ancestor for actionable diagnostics
let blocker = dirPath;
let current = path.resolve(dirPath);
while (current !== path.dirname(current)) {
if (fs.existsSync(current)) {
try { fs.accessSync(current, fs.constants.W_OK); } catch { blocker = current; }
break;
}
current = path.dirname(current);
}
throw new Error(
`EACCES: cannot create directory ${dirPath} (running as uid=${uid}).\n` +
` Blocked by: ${blocker}\n` +
` This is typically caused by a previous AWF run leaving root-owned directories.\n` +
` The orchestrator must clean up stale directories before invoking AWF.`
);
Comment thread src/config-writer.ts
Comment on lines +93 to +120
try {
const workDirCreated = Boolean(
fs.mkdirSync(config.workDir, { recursive: true, mode: 0o700 })
);
const workDirLstat = fs.lstatSync(config.workDir);
if (workDirLstat.isSymbolicLink()) {
throw new Error(`Refusing to use symlink as directory: ${config.workDir}`);
}
const workDirStat = fs.statSync(config.workDir);
if (!workDirStat.isDirectory()) {
throw new Error(`Expected directory but found non-directory path: ${config.workDir}`);
}
if (!workDirCreated) {
fs.chmodSync(config.workDir, 0o700);
}
} catch (error: unknown) {
if (error && typeof error === 'object' && 'code' in error && error.code === 'EACCES') {
const diagnostic = diagnoseEacces(config.workDir);
throw new Error(
`EACCES: cannot create work directory: ${config.workDir}\n` +
`${diagnostic}\n` +
`This typically happens on persistent runners when a previous AWF run ` +
`left directories owned by root. The calling process (e.g., gh-aw setup) ` +
`must remove or chown the stale directory before invoking AWF.\n` +
` Suggested fix: sudo rm -rf ${path.dirname(config.workDir)} && mkdir -p ${config.workDir}`
);
}
throw error;
@lpcox

lpcox commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot address review feedback

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@lpcox Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

- Fix isWritable() to check W_OK|X_OK instead of just W_OK, so the
  blocker is correctly identified when a directory lacks execute/search
  permission (config-writer.ts, workdir-setup.ts)
- Fix suggested remediation in validateAndPrepareWorkDir: use the
  identified blocker path instead of path.dirname(workDir), preventing
  an overly broad sudo rm -rf (e.g. /tmp) when workDir is shallow
- Fix ensureDirectory blocker detection: default blocker to the nearest
  existing ancestor rather than dirPath (which may not exist)
- Add fsMockFactory entries for mkdirSync/accessSync/statSync so tests
  can mock them without hitting 'Cannot redefine property'
- Add unit tests for EACCES diagnostic in ensureDirectory (workdir-setup.test.ts)
- Add unit tests for EACCES diagnostic in validateAndPrepareWorkDir (config-writer-branches.test.ts)"

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@copilot address review feedback

Addressed all review feedback in commit 6e2c73d:

isWritable()W_OK | X_OK (raised in both file threads): accessSync now checks fs.constants.W_OK | fs.constants.X_OK in both config-writer.ts and workdir-setup.ts, so a directory lacking execute/search permission is correctly identified as blocking.

Suggested fix path (config-writer.ts:114-118): diagnoseEacces() now returns { diagnosis, blockerPath }. The suggested fix uses blockerPath (the specific non-writable ancestor, e.g. /tmp/gh-aw/sandbox/firewall) when identified, falling back to workDir itself when none is found — no longer path.dirname(workDir) which could expand to /tmp.

blocker default (workdir-setup.ts:29-35): blocker now starts as null and is set to the nearest existing ancestor as soon as existsSync returns true — even if that ancestor appears writable. This gives a more actionable message than a non-existent dirPath.

Unit tests: Added 5 tests in workdir-setup.test.ts covering ensureDirectory's EACCES branch (blocker named, writable-ancestor case, null-blocker fallback, W_OK|X_OK probe, non-EACCES rethrow); and 3 tests in config-writer-branches.test.ts covering validateAndPrepareWorkDir's EACCES branch (blocker in suggested fix, null-blocker fallback, W_OK|X_OK probe). Added mkdirSync, accessSync, statSync to fsMockFactory so the mocks are jest-configurable without hitting Cannot redefine property.

Copilot finished work on behalf of lpcox July 7, 2026 13:23
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 99.00% 98.92% 📉 -0.08%
Statements 98.95% 98.87% 📉 -0.08%
Functions 99.72% 99.44% 📉 -0.28%
Branches 95.44% 95.35% 📉 -0.09%
📁 Per-file Coverage Changes (4 files)
File Lines (Before → After) Statements (Before → After)
src/test-helpers/fs-mock-factory.test-utils.ts 100.0% → 92.8% (-7.15%) 100.0% → 92.8% (-7.15%)
src/test-helpers/config-writer-test-harness.test-utils.ts 100.0% → 96.7% (-3.34%) 100.0% → 96.8% (-3.23%)
src/config-writer.ts 96.8% → 95.1% (-1.69%) 96.8% → 95.1% (-1.69%)
src/workdir-setup.ts 97.8% → 98.0% (+0.19%) 97.8% → 98.0% (+0.20%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@lpcox

lpcox commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator Author

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@copilot fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/28869556618/job/85634163143?pr=5984

Fixed in commit 16fab42.

The failing test strips client-supplied auth headers before forwarding (and the adjacent forwards buffered head bytes test) used setTimeout(..., 30) to wait for async events. Under CI load, the two-deep setImmediate chain occasionally takes longer than 30ms, causing the expect assertion to throw before resolve() is called, leaving the Promise unresolved and triggering Jest's 5 s timeout.

Changed both tests to the same event-driven pattern used by the already-passing "injects Authorization header" test:

// before (flaky)
return new Promise(resolve => setTimeout(() => { /* assertions */ }, 30));

// after (deterministic)
return new Promise(resolve => {
  tlsSocket.once('secureConnect', () => setImmediate(() => {
    /* assertions */
    resolve();
  }));
});

setImmediate here ensures websocket-tunnel.js's own secureConnect listener (which calls tlsSocket.write) runs synchronously before the assertions check mock.calls.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR #5984 appears to follow the applicable CONTRIBUTING.md guidelines based on the pre-fetched metadata, diff, and CONTRIBUTING.md: tests are included, the description is clear with related references, and changed files are organized appropriately.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 99.00% 98.92% 📉 -0.08%
Statements 98.95% 98.87% 📉 -0.08%
Functions 99.72% 99.44% 📉 -0.28%
Branches 95.44% 95.35% 📉 -0.09%
📁 Per-file Coverage Changes (4 files)
File Lines (Before → After) Statements (Before → After)
src/test-helpers/fs-mock-factory.test-utils.ts 100.0% → 92.8% (-7.15%) 100.0% → 92.8% (-7.15%)
src/test-helpers/config-writer-test-harness.test-utils.ts 100.0% → 96.7% (-3.34%) 100.0% → 96.8% (-3.23%)
src/config-writer.ts 96.8% → 95.1% (-1.69%) 96.8% → 95.1% (-1.69%)
src/workdir-setup.ts 97.8% → 98.0% (+0.19%) 97.8% → 98.0% (+0.20%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 7/7 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment thread src/config-writer.ts
`This typically happens on persistent runners when a previous AWF run ` +
`left directories owned by root. The calling process (e.g., gh-aw setup) ` +
`must remove or chown the stale directory before invoking AWF.\n` +
` Suggested fix: sudo rm -rf ${suggestedPath} && mkdir -p ${suggestedPath}`
Comment thread src/config-writer.ts
Comment on lines +116 to +123
throw new Error(
`EACCES: cannot create work directory: ${config.workDir}\n` +
`${diagnosis}\n` +
`This typically happens on persistent runners when a previous AWF run ` +
`left directories owned by root. The calling process (e.g., gh-aw setup) ` +
`must remove or chown the stale directory before invoking AWF.\n` +
` Suggested fix: sudo rm -rf ${suggestedPath} && mkdir -p ${suggestedPath}`
);
Comment thread src/workdir-setup.ts
Comment on lines +24 to +44
if (error && typeof error === 'object' && 'code' in error && error.code === 'EACCES') {
const uid = process.getuid?.() ?? '?';
// Identify the blocking ancestor for actionable diagnostics.
// Default to the nearest existing ancestor (more actionable than a path that
// does not exist), and confirm with a W_OK|X_OK access check.
let blocker: string | null = null;
let current = path.resolve(dirPath);
while (current !== path.dirname(current)) {
if (fs.existsSync(current)) {
blocker = current;
try { fs.accessSync(current, fs.constants.W_OK | fs.constants.X_OK); } catch { /* confirmed blocker */ }
break;
}
current = path.dirname(current);
}
throw new Error(
`EACCES: cannot create directory ${dirPath} (running as uid=${uid}).\n` +
` Blocked by: ${blocker ?? dirPath}\n` +
` This is typically caused by a previous AWF run leaving root-owned directories.\n` +
` The orchestrator must clean up stale directories before invoking AWF.`
);
@github-actions github-actions Bot mentioned this pull request Jul 7, 2026
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test (Direct BYOK Azure OpenAI via Entra)

  • Merged PRs: ${{ steps.smoke-data.outputs.SMOKE_PR_DATA }} ✅
  • GitHub.com connectivity ✅
  • File read/write ✅
  • Direct BYOK inference ✅

Overall PASS

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5984 · 55.8 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode

Status: ✅ PASS

  • ✅ BYOK Inference Test — Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY via api-proxy → api.githubcopilot.com)
  • ✅ Agent Environment Verified — Prompt processed successfully

Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) with api-proxy sidecar injection

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔬 Smoke Test Results

  • MCP: ✅ Connected
  • GitHub.com: ✅ HTTP 200
  • File Write/Read: ❌ Template vars not expanded (pre-step issue)

Overall: FAIL (file test inconclusive)

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: Copilot PAT Auth

Test Result
GitHub MCP Connectivity ✅ verified
GitHub.com HTTP ✅ HTTP 200
File Write/Read ⚠️ template vars not injected

Overall: PASS (2/2 verifiable tests passed)

Author: @lpcox | Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

$(sed s///g /tmp/gh-aw/agent/comment_body.md)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results: ❌ MCP, ❌ GitHub.com, ✅ File Writing, ✅ Bash Tools. Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.18.0 v22.23.1 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall: Not all tests passed. Python and Node.js versions differ between host and chroot environments.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

API Proxy OpenTelemetry Tracing — Smoke Test Results

Scenario Result Detail
1. Module Loading ✅ Pass otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled, + serialization helpers
2. Test Suite ✅ Pass 59/59 tests passed across otel.test.js + otel-fanout.test.js (2 suites)
3. Env Var Forwarding ✅ Pass src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME to api-proxy container
4. Token Tracker Integration ✅ Pass onUsage callback exists in token-tracker-http.js and is invoked after normalized usage extraction
5. OTEL Diagnostics ✅ Expected No spans exported (no api-proxy running with OTEL configured in this CI run — graceful degradation working)

All scenarios pass. OTEL integration is correctly implemented.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Merged PRs

Checks

  • GitHub PR history: ✅
  • GitHub CLI query: ✅
  • GitHub title check: ✅
  • File write/read: ✅
  • Discussion comment: ✅
  • Build: ✅

Overall: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5984 · 46.2 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@lpcox lpcox merged commit f0898b2 into main Jul 8, 2026
89 of 90 checks passed
@lpcox lpcox deleted the fix/eacces-diagnostic-guard branch July 8, 2026 00:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants