Copy Copilot session state files to logs before secret redaction

[Copilot]

Copilot CLI writes session state to ~/.copilot/session-state/[session-id].jsonl but these files weren't being captured in workflow artifacts, making debugging difficult.

Changes

• Added copy step in pkg/workflow/copilot_logs.go

  • Modified GetFirewallLogsCollectionStep() to add session file copy step
  • Added generateCopilotSessionFileCopyStep() function
  • Copies ~/.copilot/session-state/*.jsonl to /tmp/gh-aw/sandbox/agent/logs/
  • Step runs BEFORE secret redaction so files are scanned for secrets
  • Uses if: always() and continue-on-error: true for reliability

• Updated declared output files in pkg/workflow/copilot_engine.go

  • GetDeclaredOutputFiles() returns only logs folder
  • Session files copied to logs folder are automatically included in artifact upload

• Added test coverage

  • TestCopilotEngine verifies logs folder in declared output files
  • TestCopilotSessionFileCopyStep validates copy step generation

Generated Workflow Steps

- name: Copy Copilot session state files to logs
  if: always()
  continue-on-error: true
  run: |
    SESSION_STATE_DIR="$HOME/.copilot/session-state"
    LOGS_DIR="/tmp/gh-aw/sandbox/agent/logs"
    
    if [ -d "$SESSION_STATE_DIR" ]; then
      echo "Copying Copilot session state files from $SESSION_STATE_DIR to $LOGS_DIR"
      mkdir -p "$LOGS_DIR"
      cp -v "$SESSION_STATE_DIR"/*.jsonl "$LOGS_DIR/" 2>/dev/null || true
      echo "Session state files copied successfully"
    fi

- name: Redact secrets in logs
  # ... secret redaction scans /tmp/gh-aw/ including copied session files

- name: Upload engine output files
  uses: actions/upload-artifact@...
  with:
    name: agent_outputs
    path: |
      /tmp/gh-aw/sandbox/agent/logs/
      /tmp/gh-aw/redacted-urls.log

Applies to 82 workflows using Copilot engine.

Original prompt

The copilot session file is located at ~/.copilot/session-state/[session id].jsonl . Make sure this file gets copied to the /tmp/gh-aw/sandbox/agent/logs/ folder.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Changeset

• Type: patch
• Description: Copy Copilot session state files (~/.copilot/session-state/*.jsonl) to /tmp/gh-aw/sandbox/agent/logs/ before secret redaction so they are included in workflow artifacts and available for debugging.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[pelikhan]

@copilot this file path in the list of output files in the agentic engine interface. do not add a new step

[Copilot]

@copilot this file path in the list of output files in the agentic engine interface. do not add a new step

Done in 8c531a8. Added /home/runner/.copilot/session-state/*.jsonl to GetDeclaredOutputFiles() instead of creating a copy step. Updated validation to allow this path since session state files are internal CLI state (safe to upload without secret redaction).

[pelikhan]

@copilot add a step to copy the declared output files to the /tmp/gh-aw/agent/logs/ folder before the secret redaction as well.

[Copilot]

@copilot add a step to copy the declared output files to the /tmp/gh-aw/agent/logs/ folder before the secret redaction as well.

Done in a88e3d4. Added copy step that runs before secret redaction:

• Copies ~/.copilot/session-state/*.jsonl → /tmp/gh-aw/sandbox/agent/logs/
• Step runs with if: always() and continue-on-error: true
• Files are in /tmp/gh-aw/ where secret redaction scans them
• Then uploaded in agent_outputs artifact

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke Test Results

✅ File Writing: Created test file successfully
✅ Bash Tool: Verified file content
✅ Safe Input gh Tool: GitHub CLI access working

Overall Status: PASS

AI generated by Smoke Copilot Safe Inputs

[github-actions]

Smoke Test Results - Run 20800667277

Last 2 Merged PRs: #9062 (Protocol-specific domain filtering), #9055 (AWF logs summary)

✅ GitHub MCP - Retrieved PRs
✅ File Writing - Created agent test file
✅ Bash Tool - File verified
✅ Cache Memory - Cache file created and verified
✅ Web Fetch - api.github.com returned valid JSON
✅ Protocol Filtering - Found https://api.github.com and `(redacted) in logs
⚠️ GitHub MCP Default Toolset - get_me exists but returns 403 (permission issue, not toolset filtering)

Overall: PASS (7/7 core tests passed)

cc @Copilot @Mossaka

AI generated by Smoke Copilot

[github-actions]

Smoke Test Results

• ❌ Playwright MCP: Tool not available
• ❌ safeinputs-gh: Tool not available
• ✅ Cache Memory: Successfully wrote and verified test file

Overall Status: FAIL (2/3 tests failed - missing tools)

AI generated by Smoke Copilot Playwright

[github-actions]

PRs: Support protocol-specific domain filtering (http/https); Use awf logs summary for CI firewall reports
OpenAI curl blocked: ✅
GitHub MCP (last 2 merged PRs): ✅
File write/read /tmp/gh-aw/agent/smoke-test-codex-firewall-20800667292.txt: ✅
Blocked domain curl (example.com): ✅
AWF allow-domains includes https://api.github.com (log check): ❌ (no logs available)
Network: SANDBOXED | Overall: FAIL

AI generated by Smoke Codex Firewall

[github-actions]

Smoke Test Results - Claude (Run 20800667305)

Recent PRs:

• Add workflow: githubnext/agentics/weekly-research #8: Add workflow: githubnext/agentics/weekly-research
• Remove ai-inference, opencode, genaiscript agentic engines for now #10: Remove ai-inference, opencode, genaiscript agentic engines for now

Tests:

• ✅ GitHub MCP - Retrieved 2 PRs
• ✅ File Writing - Created agent test file
• ✅ Bash Tool - Verified file contents
• ✅ Playwright MCP - Navigated to GitHub, title verified
• ✅ Cache Memory - Created and verified cache file
• ✅ gh Tool - Listed 3 issues successfully

Status: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results - Copilot Engine (No Firewall)

✅ All tests passed

1. GitHub PR Search - Retrieved last 2 merged PRs: #9062 (Protocol-specific domain filtering), #9055 (AWF logs summary)
2. File Creation - Created /tmp/gh-aw/agent/smoke-test-copilot-20800667302.txt
3. Playwright Navigation - Navigated to https://github.com, verified page title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
4. GitHub Issues - Retrieved 3 open issues using GitHub API tools (#9268, #9260, #9254)

AI generated by Smoke Copilot No Firewall

[github-actions]

PR titles reviewed: Sync github-agentic-workflows.md with v0.35.1 (#9276); Remove dangerous-permissions-write feature flag suggestion from compiler errors (#9275)
GitHub MCP: ✅
File write/read: ✅
Playwright title check: ✅
Cache memory write/read: ✅
safeinputs-gh: ❌ (tool unavailable)
Overall: FAIL

AI generated by Smoke Codex