Skip to content

[review] fix: emit sbx credential refresh step before agent execution#45150

Closed
github-actions[bot] wants to merge 3 commits into
mainfrom
fix/docker-sbx-credential-refresh-review-1783903827084
Closed

[review] fix: emit sbx credential refresh step before agent execution#45150
github-actions[bot] wants to merge 3 commits into
mainfrom
fix/docker-sbx-credential-refresh-review-1783903827084

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Reason: agent_failure

Review the workflow run logs for details.

This PR contains changes that were originally intended for PR #45146 (fix/docker-sbx-credential-refresh).
Please review the changes carefully before merging.


Generated by 👨‍🍳 PR Sous Chef · 8.27 AIC · ⌖ 6.32 AIC · ⊞ 7.5K ·
Comment /souschef to run again

lpcox and others added 2 commits July 12, 2026 15:02
Docker Hub OAuth tokens obtained by `sbx login` during the daemon-setup
step can expire or be invalidated by the policy-reset cycle. By the time
AWF calls `sbx create`, the sbx daemon no longer has valid Docker Hub
credentials, causing 'user is not authenticated to Docker' errors.

Add a `generateDockerSbxCredentialRefreshStep()` that runs `sbx login`
immediately before the agent execution step, ensuring the daemon has
fresh credentials when AWF creates the microVM sandbox.

The step is emitted in `compiler_yaml_ai_execution.go` (the common
compilation path for all engines) so it applies to Copilot, Claude,
Codex, and any future engine using docker-sbx runtime.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor Author

Hey team 👋 — thanks for getting this changeset for the fix/docker-sbx-credential-refresh fix into review. The change is tightly scoped (a single .changeset entry) and clearly aligned with the project's agentic development workflow.

One thing worth noting before this lands:

  • No test changes included — the underlying fix (emitting the sbx credential refresh step before agent execution) touches runtime behaviour that could benefit from test coverage. The changeset file itself doesn't need tests, but it's worth confirming that the corresponding implementation in PR fix: emit sbx credential refresh step before agent execution #45146 carries adequate test coverage before this changeset is merged.
  • Agentic threat flag — the PR body includes a gh-aw-threat-detected caution block with reason agent_failure. This requires manual review of the associated workflow run before any follow-up automation proceeds, per the flag's own instructions.

If you'd like an agent to help add test coverage for the credential refresh step, here's a ready-to-use prompt:

Add or verify test coverage for the sbx credential refresh step emission in the fix/docker-sbx-credential-refresh branch.
Specifically:
1. Confirm that the credential refresh step is emitted before agent execution begins.
2. Add a unit or integration test that asserts ordering: credential refresh step must appear before the first agent execution step in the emitted output.
3. Ensure the test runs in CI and is placed alongside existing tests for the sbx/credential refresh logic.

Generated by ✅ Contribution Check · 115.3 AIC · ⌖ 9.07 AIC · ⊞ 6.2K ·

Base automatically changed from fix/docker-sbx-credential-refresh to main July 13, 2026 01:34
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

pr-sous-chef
@copilot please run the pr-finisher skill, review the current PR state, address any remaining feedback, and rerun checks once the branch is ready for maintainer review.

Run: https://github.com/github/gh-aw/actions/runs/29220275355

Generated by 👨‍🍳 PR Sous Chef · 8.27 AIC · ⌖ 6.32 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Copilot AI commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Hey team 👋 — thanks for getting this changeset for the fix/docker-sbx-credential-refresh fix into review. The change is tightly scoped (a single .changeset entry) and clearly aligned with the...

Thanks for the review. Addressing both points:

  1. No test changes — This PR only carries the missing changeset file for the fix already merged in fix: emit sbx credential refresh step before agent execution #45146. The implementation and any associated test coverage live in that PR.

  2. Agentic threat flag — Acknowledged. The threat-detection warning requires human manual review of the workflow run before merge; this is flagged in the summary below.

Local validation: make fmt, make lint, and make test-unit all pass. PR mergeable state is clean. Ready for human review and CI re-trigger.

Copilot AI requested a review from gh-aw-bot July 13, 2026 03:07
@lpcox lpcox closed this Jul 13, 2026
@github-actions github-actions Bot added the closed:unknown PR was closed without merging: unknown label Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

closed:unknown PR was closed without merging: unknown needs-review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants