Fixed aws #638
Fixed aws #638
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the GitHub Agentic Workflows (gh-aw) smoke-test workflows and associated lock artifacts, primarily bumping gh-aw versions and adjusting MCP gateway/container configuration.
Changes:
- Updated gh-aw action references (repo/SHAs) and bumped related tool versions (Copilot CLI, awf, MCP gateway images).
- Tweaked workflow runtime configuration (allowed domains, Playwright MCP args, debug env, safe outputs wiring).
- Updated the repository action lock mapping entries.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| .github/workflows/smoke-copilot.md | Adjusts smoke-copilot frontmatter (network/tooling + MCP gateway container reference). |
| .github/workflows/smoke-copilot.lock.yml | Regenerated compiled workflow with new gh-aw version and updated MCP/allowlist/safe-output behavior. |
| .github/workflows/smoke-codex.lock.yml | Regenerated compiled workflow with updated gh-aw version, schedule tweak, and MCP/allowlist changes. |
| .github/aw/actions-lock.json | Updates pinned action entries/versions for gh-aw compilation/locking. |
Comments suppressed due to low confidence (1)
.github/workflows/smoke-copilot.lock.yml:1205
- GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG no longer includes a "noop" handler, even though the workflow defines and documents the noop tool. If noop is expected to be used (per the prompt note), include it here so safe_output_handler_manager can process it; otherwise remove the noop instruction/tool to avoid confusion.
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"hide_older_comments\":true,\"max\":1},\"add_labels\":{\"allowed\":[\"smoke-copilot\"]},\"create_issue\":{\"expires\":2,\"max\":1},\"missing_data\":{},\"missing_tool\":{}}"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "actions/upload-artifact@v4.6.2": { | ||
| "repo": "actions/upload-artifact", | ||
| "version": "v4", | ||
| "version": "v4.6.2", | ||
| "sha": "ea165f8d65b6e75b540449e92b4886f43607fa02" |
There was a problem hiding this comment.
The actions lock entry for upload-artifact was renamed from the major tag ("actions/upload-artifact@v4") to a fully pinned tag ("actions/upload-artifact@v4.6.2"). Other sources in this repo still reference the major tag (e.g. .github/workflows/nightly-mcp-stress-test.md uses actions/upload-artifact@v4, and the schema example does too), so future gh-aw compiles may fail to resolve the action. Keep a major-tag alias entry (actions/upload-artifact@v4) pointing to the pinned version/sha, or support both keys.
| "container": "mcr.microsoft.com/playwright/mcp", | ||
| "args": ["--init", "--network", "host"], | ||
| "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--allowed-hosts", "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com", "--allowed-origins", "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com"], | ||
| "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--allowed-hosts", "localhost,localhost:*,127.0.0.1,127.0.0.1:*,github.com", "--allowed-origins", "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com"], |
There was a problem hiding this comment.
Playwright MCP "--allowed-hosts" switched from the semicolon-delimited format used elsewhere in this repo to a comma-delimited list, while "--allowed-origins" remains semicolon-delimited. This inconsistency is likely to break Playwright MCP argument parsing. Align both flags to the delimiter format used in other workflows (e.g. daily-multi-device-docs-tester.lock.yml uses semicolons for both).
| "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--allowed-hosts", "localhost,localhost:*,127.0.0.1,127.0.0.1:*,github.com", "--allowed-origins", "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com"], | |
| "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--allowed-hosts", "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com", "--allowed-origins", "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com"], |
|
|
||
| **Critical**: Tool calls write structured data that downstream jobs process. Without tool calls, follow-up actions will be skipped. | ||
|
|
||
| **Note**: If you made no other safe output tool calls during this workflow execution, call the "noop" tool to provide a status message indicating completion or that no actions were needed. |
There was a problem hiding this comment.
The prompt now instructs the agent to call the "noop" safe output tool when no other tool calls were made, but this workflow's safe outputs handler config (GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG) no longer includes a noop handler. Either re-add noop to the handler config or remove/update the instruction so the agent doesn't emit a safe output that the handler won't process.
| **Note**: If you made no other safe output tool calls during this workflow execution, call the "noop" tool to provide a status message indicating completion or that no actions were needed. | |
| **Note**: If no safe output tool calls are required for this workflow execution, you may simply complete your response without emitting any safe output tool calls. |
| DEBUG: '*' | ||
| GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-config.outputs.safe_outputs_port }} | ||
| GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-config.outputs.safe_outputs_api_key }} | ||
| GH_AW_SAFE_OUTPUTS_TOOLS_PATH: /opt/gh-aw/safeoutputs/tools.json | ||
| GH_AW_SAFE_OUTPUTS_CONFIG_PATH: /opt/gh-aw/safeoutputs/config.json | ||
| GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs | ||
| run: | | ||
| # Environment variables are set above to prevent template injection | ||
| export DEBUG |
There was a problem hiding this comment.
DEBUG is set to '*' for the Safe Outputs MCP HTTP Server, which can dramatically increase log volume and risk leaking sensitive operational details into Actions logs. If this was added for troubleshooting, consider scoping DEBUG to the minimal namespace needed, gating it behind an input/secret, or removing it after the incident is resolved.
| "/tmp/gh-aw/mcp-logs/playwright", | ||
| "--allowed-hosts", | ||
| "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com", | ||
| "localhost,localhost:*,127.0.0.1,127.0.0.1:*,github.com", |
There was a problem hiding this comment.
Playwright MCP "--allowed-hosts" uses a comma-delimited list here while other workflows in this repo use semicolon-delimited values for both allowed-hosts and allowed-origins. If Playwright MCP expects semicolons, this will prevent it from reaching github.com. Consider reverting to semicolons (or updating both flags consistently if the delimiter requirement changed).
| "localhost,localhost:*,127.0.0.1,127.0.0.1:*,github.com", | |
| "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com", |
1 participant
No description provided.