Skip to content

Fix CLI proxy default policy to respect repo visibility (block private repos in public repos)#45158

Merged
lpcox merged 6 commits into
mainfrom
copilot/fix-cli-proxy-default-policy
Jul 13, 2026
Merged

Fix CLI proxy default policy to respect repo visibility (block private repos in public repos)#45158
lpcox merged 6 commits into
mainfrom
copilot/fix-cli-proxy-default-policy

Conversation

Copilot AI commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

The CLI proxy's fallback policy (repos="all") allowed the gh CLI inside AWF to read any repo the token could access — including private repos — when running in a public repository with no explicit repos guard policy configured. The MCP Gateway already handled this correctly via its forcePublicRepos runtime override; the CLI proxy had no equivalent.

What changed

determine_automatic_lockdown.cjs — visibility-aware repos default

  • defaultRepos is now isPrivate ? "all" : "public" instead of always "all"
  • Added GH_AW_PRIVATE_TO_PUBLIC_FLOWS env var support: when set to "allow", overrides the public-repo default back to "all" (user opted in to cross-visibility flows)
  • Error fallback now uses repos="public" (consistent with visibility="public" conservative default)

compiler_github_mcp_steps.go — propagate opt-in flag

  • When tools.github.private-to-public-flows: allow is set, emits GH_AW_PRIVATE_TO_PUBLIC_FLOWS: allow into the determine-automatic-lockdown step env so the script can output repos=all

compiler_difc_proxy.go — dynamic default policy template

Replaces the hardcoded repos="all" fallback with a template referencing runtime step outputs:

# Before
CLI_PROXY_POLICY: '{"allow-only":{"repos":"all","min-integrity":"none"}}'

# After
CLI_PROXY_POLICY: '{"allow-only":{"repos":"${{ steps.determine-automatic-lockdown.outputs.repos }}","min-integrity":"${{ steps.determine-automatic-lockdown.outputs.min_integrity }}"}}'

This mirrors how GITHUB_MCP_GUARD_REPOS is already set from the same step output for the MCP Gateway path.

Tests

  • Tests updated across determine_automatic_lockdown.test.cjs, compiler_difc_proxy_test.go, and compiler_github_mcp_steps_test.go
  • Golden file pi.golden updated to match new compiler output

Behavior matrix

Repo visibility Explicit repos in frontmatter CLI proxy repos value
Public (none) "public"fixed
Public "all" "all" (explicit passthrough)
Public ["org/*"] ["org/*"]
Public private-to-public-flows: allow "all" (opted in)
Private (none) "all"
Private any whatever user specified

Related



✨ PR Review Safe Output Test - Run 29222894214

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 122.7 AIC · ⌖ 14.7 AIC · ⊞ 8.4K ·
Comment /smoke-claude to run again

When no explicit repos/min-integrity is configured in the workflow frontmatter, the CLI proxy previously fell back to a hardcoded default that allowed all repos (including private repos), even when the workflow runs in a public repository.

Changes:
- determine_automatic_lockdown.cjs: set repos="public" (not "all") for public repos when no repos is explicitly configured. Also handle GH_AW_PRIVATE_TO_PUBLIC_FLOWS=allow to override back to "all" when user opts in.
- compiler_github_mcp_steps.go: emit GH_AW_PRIVATE_TO_PUBLIC_FLOWS: allow env var when private-to-public-flows: allow is configured
- compiler_difc_proxy.go: reference steps.determine-automatic-lockdown.outputs.repos and .min_integrity in the default CLI proxy policy template instead of hardcoded values
- Update all workflow lock files via make recompile
- Update tests for all changes

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix CLI proxy default policy to respect repo visibility Fix CLI proxy default policy to respect repo visibility (block private repos in public repos) Jul 13, 2026
Copilot AI requested a review from lpcox July 13, 2026 03:24
Copilot finished work on behalf of lpcox July 13, 2026 03:24
Lock files will be recompiled separately after the source changes are merged.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox marked this pull request as ready for review July 13, 2026 03:30
Copilot AI review requested due to automatic review settings July 13, 2026 03:30
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates CLI proxy defaults to scope repository access by runtime visibility, addressing #45157.

Changes:

  • Defaults public repositories to repos=public.
  • Propagates the private-to-public flow opt-in.
  • Uses lockdown outputs in generated proxy policy and updates tests.
Show a summary per file
File Description
actions/setup/js/determine_automatic_lockdown.cjs Resolves visibility-aware policy defaults.
actions/setup/js/determine_automatic_lockdown.test.cjs Tests public defaults and opt-in behavior.
pkg/workflow/compiler_github_mcp_steps.go Propagates the opt-in environment variable.
pkg/workflow/compiler_github_mcp_steps_test.go Tests opt-in propagation.
pkg/workflow/compiler_difc_proxy.go Generates a runtime-aware CLI proxy policy.
pkg/workflow/compiler_difc_proxy_test.go Tests dynamic policy generation.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden Updates expected compiled workflow output.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 7/7 changed files
  • Comments generated: 3
  • Review effort level: Medium

Comment thread pkg/workflow/compiler_difc_proxy.go Outdated
Comment on lines +531 to +533
policyJSON := getDIFCProxyPolicyJSON(githubToolConfig, data, data.SandboxConfig.MCP)
if policyJSON == "" {
policyJSON = defaultCliProxyPolicyJSON
difcProxyLog.Print("No guard policy configured, using default CLI proxy policy")
policyJSON = defaultCliProxyPolicyJSONTemplate
// Default to safe guard policy for public repos on error
core.setOutput("min_integrity", "approved");
core.setOutput("repos", "all");
core.setOutput("repos", "public");
} else {
core.info("Automatic guard policy determination complete for public repository");
core.info("GitHub MCP guard policy automatically applied for public repository. " + "min-integrity='approved' and repos='all' ensure only approved-integrity content is accessible.");
core.info("GitHub MCP guard policy automatically applied for public repository. " + "min-integrity='approved' and repos='public' restrict access to public repositories only.");
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #45158 does not have the 'implementation' label and has ≤100 new lines of code in business logic directories (60 additions across 7 files, threshold is 100).

@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

@github-actions github-actions Bot mentioned this pull request Jul 13, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

Test Quality Score: 89/100 — Excellent

Analyzed 8 test(s): 8 design, 0 implementation, 0 violation(s).

📊 Metrics (8 tests)
Metric Value
Analyzed 8 (Go: 3, JS: 5)
✅ Design 8 (100%)
⚠️ Implementation 0 (0%)
Edge/error coverage 5 (62%)
Duplicate clusters 0
Inflation No
🚨 Violations 0
Test File Classification Issues
should set repos=public for public repo (no guard policy) determine_automatic_lockdown.test.cjs design_test None
should not override min_integrity when already configured determine_automatic_lockdown.test.cjs design_test None
should handle API failure and default to safe guard policy determine_automatic_lockdown.test.cjs design_test ✅ error path
should infer visibility from private field when visibility missing determine_automatic_lockdown.test.cjs design_test ✅ edge case
should set repos=all when GH_AW_PRIVATE_TO_PUBLIC_FLOWS=allow determine_automatic_lockdown.test.cjs design_test ✅ opt-in path
TestBuildStartCliProxyStepYAML (no guard policy subtest) compiler_difc_proxy_test.go design_test ✅ edge: NotContains hardcoded
TestBuildStartCliProxyStepYAML (nil github tool subtest) compiler_difc_proxy_test.go design_test None
TestGenerateGitHubMCPLockdownDetectionStepEmitsPrivateToPublicFlowsEnv compiler_github_mcp_steps_test.go design_test ✅ new feature path

Verdict

Passed. 0% implementation tests (threshold: 30%). All modified tests verify behavioral contracts: the new visibility-aware default policy (public repos → repos=public), the GH_AW_PRIVATE_TO_PUBLIC_FLOWS=allow opt-in, and the step-output reference replacing hardcoded values. Error path and edge-case coverage is solid. No Go mock library violations. Build tags present on all Go test files. JS inflation ratio ~1.8:1 (within 2:1 threshold).

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 38.1 AIC · ⌖ 10.4 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 89/100. 0% implementation tests (threshold: 30%).

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Fix CLI proxy default policy to respect repo visibility

The changes are correct, well-tested, and consistent with the existing MCP Gateway pattern.

Key observations:

  • The core fix in determine_automatic_lockdown.cjs correctly closes the privilege escalation gap where a public-repo workflow could reach private repos via the CLI proxy.
  • The template expressions inside the single-quoted YAML string are evaluated by GitHub Actions at the expression layer before the shell sees the value, so the quoting is correct and safe.
  • Step ordering is verified: determine-automatic-lockdown runs before Start CLI proxy in the compiled output, so outputs are always available.
  • The opt-in path (private-to-public-flows: allow) is correctly threaded: compiler emits GH_AW_PRIVATE_TO_PUBLIC_FLOWS=allow in the step env, which the lockdown script reads to output repos=all.
  • Error fallback now uses repos=public instead of repos=all — a security improvement for ambiguous-visibility failures.
  • Tests cover: public default, error fallback, explicit opt-in, and golden output regression.

No blocking issues found.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 40.9 AIC · ⌖ 4.36 AIC · ⊞ 4.8K

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /diagnosing-bugs and /tdd — clean security fix with good test coverage; leaving comments on two actionable gaps.

📋 Key Themes & Highlights

Key Themes

  • Error-path inconsistency (determine_automatic_lockdown.cjs:120): The catch block always falls back to repos=public, ignoring GH_AW_PRIVATE_TO_PUBLIC_FLOWS=allow. A workflow that explicitly opts into cross-visibility flows will have that opt-in silently dropped on transient API failure.
  • Silent typo swallowing (determine_automatic_lockdown.cjs:67): The opt-in value is compared with strict equality against "allow" but unrecognised values produce no warning — a one-character typo in the frontmatter disables the opt-in without any signal to the author.
  • Test assertion gap (determine_automatic_lockdown.test.cjs:307): The new opt-in test is present and correct, but omits the min_integrity assertion for the cross-visibility case.

Positive Highlights

  • ✅ The core fix is correct and complete: repos=public default for public repos closes the private-repo exposure.
  • ✅ Excellent symmetry with the MCP Gateway: using step-output references in defaultCliProxyPolicyJSONTemplate cleanly mirrors $GITHUB_MCP_GUARD_REPOS.
  • quoteYAMLEnvValue correctly handles the new template value with ${{ }} expressions — the golden-file update confirms the output is well-formed.
  • ✅ Tests across all three layers (JS unit, Go unit, golden file) are updated and the new opt-in test case directly specifies the intended behaviour.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 50.1 AIC · ⌖ 4.79 AIC · ⊞ 6.6K
Comment /matt to run again

// Default to safe guard policy for public repos on error
core.setOutput("min_integrity", "approved");
core.setOutput("repos", "all");
core.setOutput("repos", "public");

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/diagnosing-bugs] Error fallback ignores GH_AW_PRIVATE_TO_PUBLIC_FLOWS — a workflow that opted into cross-visibility flows will silently fall back to repos=public on API failure, potentially breaking the workflow in a non-obvious way.

💡 Suggested fix

Read the env var in the catch block too:

} catch (error) {
  const privateToPublicFlows = process.env.GH_AW_PRIVATE_TO_PUBLIC_FLOWS || "";
  const fallbackRepos = privateToPublicFlows === "allow" ? "all" : "public";
  core.setOutput("repos", fallbackRepos);
  // ... rest of error handling
}

A test covering GH_AW_PRIVATE_TO_PUBLIC_FLOWS=allow + API failure would lock this in.

@copilot please address this.

// workflow author has explicitly opted in via private-to-public-flows: allow.
// Private/internal repos default to repos=all (no cross-visibility restriction).
const privateToPublicFlows = process.env.GH_AW_PRIVATE_TO_PUBLIC_FLOWS || "";
const defaultRepos = isPrivate || privateToPublicFlows === "allow" ? "all" : "public";

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/tdd] The opt-in condition privateToPublicFlows === "allow" silently ignores any other non-empty value (e.g. typos like "Allow" or "yes"). This should either be documented as intentional or validated with a warning.

💡 Suggested improvement

Emit a warning for unrecognised values so authors get immediate feedback on typos:

const privateToPublicFlows = process.env.GH_AW_PRIVATE_TO_PUBLIC_FLOWS || "";
if (privateToPublicFlows && privateToPublicFlows !== "allow") {
  core.warning(`GH_AW_PRIVATE_TO_PUBLIC_FLOWS='${privateToPublicFlows}' is not recognised; expected 'allow'. Treating as unset.`);
}
const defaultRepos = isPrivate || privateToPublicFlows === "allow" ? "all" : "public";

A test for GH_AW_PRIVATE_TO_PUBLIC_FLOWS=Allow (wrong case) would complete the specification.

@copilot please address this.

expect(mockCore.setOutput).toHaveBeenCalledWith("repos", "all");
expect(mockCore.setOutput).toHaveBeenCalledWith("min_integrity", "approved");
expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "public");
expect(mockCore.info).toHaveBeenCalledWith(expect.stringContaining("repos not configured"));

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/tdd] The new opt-in test asserts that repos=all is output, but it doesn't assert that min_integrity is still approved for a public repo with the opt-in flag. Adding this assertion strengthens the spec for the cross-visibility case.

💡 Suggested addition
expect(mockCore.setOutput).toHaveBeenCalledWith("min_integrity", "approved");
expect(mockCore.setOutput).toHaveBeenCalledWith("visibility", "public");
expect(mockCore.setOutput).toHaveBeenCalledWith("repos", "all");
// Also assert info log mentions opt-in path for observability
expect(mockCore.info).toHaveBeenCalledWith(expect.stringContaining("repos not configured"));

The last line is already present — just make min_integrity explicit too.

@copilot please address this.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

COMMENT — correct fix, two non-blocking concerns

The core change is correct and well-structured: switching the CLI proxy default from the hardcoded permissive repos=all to a visibility-aware runtime value via determine-automatic-lockdown step outputs closes a real gap (public-repo workflows could previously read private repos through the CLI proxy). The approach mirrors how the MCP Gateway already handles this.

Review themes

Concern 1 (medium): Unquoted env valueGH_AW_PRIVATE_TO_PUBLIC_FLOWS: allow is emitted as a bare scalar while every adjacent env is wrapped in quoteYAMLEnvValue. Not a bug today, but inconsistent and fragile. See inline comment on line 88.

Concern 2 (medium, security-adjacent): Silent opt-in failure — unrecognized private-to-public-flows values (typos, wrong case) are silently treated as disabled. A workflow author who misspells the value gets repos=public with no error or warning, believing cross-visibility flows are enabled when they are not. Compile-time validation of the enum value would catch this. See inline comment on line 69.

Both existing review comments (log message accuracy at line 91, missing opt-in check in error fallback at line 120) are valid and worth addressing before merge.

🔎 Code quality review by PR Code Quality Reviewer · 77.5 AIC · ⌖ 4.63 AIC · ⊞ 5.4K
Comment /review to run again

fmt.Fprintf(yaml, " GH_AW_GITHUB_REPOS: %s\n", quoteYAMLEnvValue(configuredRepos))
}
if privateToPublicFlowsAllow {
yaml.WriteString(" GH_AW_PRIVATE_TO_PUBLIC_FLOWS: allow\n")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unquoted bare YAML scalar is inconsistent with the rest of this block and fragile if the value ever changes. Every adjacent env emission uses quoteYAMLEnvValue; this one does not.

💡 Suggested fix
yaml.WriteString("          GH_AW_PRIVATE_TO_PUBLIC_FLOWS: " + quoteYAMLEnvValue("allow") + "\n")

allow is not a YAML boolean keyword, so this is not a bug today. But the inconsistency looks like an oversight and sets a fragile precedent — if this value ever changes to yes, on, or true, the unquoted scalar will be misinterpreted as a boolean by YAML 1.1 parsers (used by some Actions runners).

// When set to "allow", the user has explicitly opted in to cross-visibility data
// flows, so the repos default should be "all" rather than "public" even for
// public repositories.
if ptpFlows, _ := toolConfig["private-to-public-flows"].(string); ptpFlows == "allow" {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typos or casing variants in private-to-public-flows are silently ignored, making it look like the opt-in succeeded when it did not. This is a security-adjacent concern: a workflow author who writes private-to-public-flows: Allow or private-to-public-flows: yes will see no error, no warning, and will get repos=public — unexpectedly blocking data flows they believed they had enabled.

💡 Details

The compiler check (line 69) accepts only the exact string "allow" with no validation for other values. The runtime check in determine_automatic_lockdown.cjs mirrors this with a strict === 'allow' comparison.

Two improvements:

  1. At compile time: validate that the value is exactly "allow" (or a recognized set) and return a compile error for unrecognized values, rather than silently treating them as disabled. This is consistent with how other enum fields in the frontmatter are handled.

  2. At runtime: since the env var is compiler-emitted and only ever set to allow, the JS check is fine as-is — but add a comment noting that the value is an enum, not a free-form string, so a future contributor does not add a .trim().toLowerCase() that weakens the gate without realizing it.

@lpcox

lpcox commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

Copilot AI and others added 2 commits July 13, 2026 03:50
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Lock files will be recompiled separately after the source changes are merged.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox added the smoke label Jul 13, 2026
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

@github-actions

Copy link
Copy Markdown
Contributor

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.54.0
jq 1.7
yq v4.53.3
curl 8.5.0
gh 2.96.0
node v22.23.1
python3 3.11.15 (PyPy 7.3.23)
go 1.24.13
java 10.0.301
dotnet 10.0.301

Result: 12/12 tools available ✅

Overall Status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔧 Tool validation by Agent Container Smoke Test · 12.5 AIC · ⌖ 6.78 AIC · ⊞ 4.6K ·
Comment /smoke-test-tools to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke test 29222894126

  • ✅ GH CLI
  • ❌ Web fetch tool unavailable
  • ✅ File write
  • ✅ Bash verify
  • ❌ Build
    Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

🥧 Smoke Pi — Powered by Pi · 2.25 AIC · ⌖ 4.55 AIC · ⊞ 2.9K ·
Comment /smoke-pi to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results: FAIL

  • GitHub MCP Testing: ✅
  • Web Fetch Testing: ✅
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅
  • Build gh-aw: ❌ (Build failed)

Run URL: https://github.com/github/gh-aw/actions/runs/29222894208

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Smoke Gemini — Powered by Gemini · 9.22 AIC · ⌖ 2.34 AIC · ⊞ 9.3K ·
Comment /smoke-gemini to run again

@github-actions

Copy link
Copy Markdown
Contributor

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Details

The threat detection engine failed to produce results.

Review the workflow run logs for details.

Pull request created: #45169

Generated by Changeset Generator · 1.33 AIC · ⊞ 13.5K

@github-actions

Copy link
Copy Markdown
Contributor

Comment Memory

Autumn wind on silent code
Build light flickers, paths refuse
Stillness keeps the branch

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

🔮 The oracle has spoken through Smoke Codex · 10.7 AIC · ⊞ 10.9K ·
Comment /smoke-codex to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke: Fix CLI proxy default policy to respect repo visibility (block private repos in public repos)
Merged refs: fix: emit sbx credential refresh step before agent execution | feat: implement private-to-public-flows: allow as a tools.github frontmatter field
✅ 2 3 4 6 7 8 9 11 12 13 15 16
❌ 1 5 10 14
Overall: FAIL
Author: @Copilot | Assignees: @lpcox, @Copilot

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 98.9 AIC · ⌖ 4.8 AIC · ⊞ 19.1K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

Copy link
Copy Markdown
Contributor

Comment Memory

Smoke tests hum at dawn
Browsers blink and build logs settle
Guardrails keep the beat

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 98.9 AIC · ⌖ 4.8 AIC · ⊞ 19.1K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke review completed for run 29222934137.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 98.9 AIC · ⌖ 4.8 AIC · ⊞ 19.1K
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

Copy link
Copy Markdown
Contributor

💥 Smoke Test: Claude — Run 29222894214

Core #1-12: all ✅

PR Review #13-19: 13✅ 14✅ 15✅ 16✅ 17✅ 18⚠️(push blocked: branch history has lock files outside allowed-files) 19⚠️(skipped)

Overall: PARTIAL — all executed tests passed; #18 blocked by pre-existing branch history, #19 skipped.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 122.7 AIC · ⌖ 14.7 AIC · ⊞ 8.4K ·
Comment /smoke-claude to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 122.7 AIC · ⌖ 14.7 AIC · ⊞ 8.4K
Comment /smoke-claude to run again

// detect whether each field is already configured and avoid overriding it.
configuredMinIntegrity := ""
configuredRepos := ""
privateToPublicFlowsAllow := false

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice — introducing the privateToPublicFlowsAllow flag here keeps the default-repos logic explicit and readable.

// Public repos default to repos=public to block access to private repos unless the
// workflow author has explicitly opted in via private-to-public-flows: allow.
// Private/internal repos default to repos=all (no cross-visibility restriction).
const privateToPublicFlows = process.env.GH_AW_PRIVATE_TO_PUBLIC_FLOWS || "";

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading the private-to-public-flows env here is clear; consider a brief inline note that empty defaults to the restrictive path.

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot AI commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

@copilot run pr-finisher skill

Completed a pr-finisher pass and pushed updates in 3174273. I triaged PR state/CI, applied the actionable follow-up fixes, ran local validation (make fmt, make lint, make test-unit, make test, make recompile), and ran final parallel validation (Code Review passed; CodeQL timed out in the validator service).

@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CLI proxy default policy should respect repo visibility (block private repos in public repos)

3 participants