fix: surface GH_AW_GITHUB_TOKEN guidance on cross-repo private callee auth failure#32530
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…callee auth failure Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Improves error guidance when a workflow_call from a caller targets a private callee repo whose Contents API the caller's repo-scoped GITHUB_TOKEN cannot read. Instead of falsely directing users to run gh aw compile, the action now detects HTTP 401/403/404 on cross-repo lock file fetches and emits actionable GH_AW_GITHUB_TOKEN guidance in both the log, step summary, and setFailed message.
Changes:
- Inlined
github.rest.repos.getContentcall incompareFrontmatterHashes()to capture HTTP status codes and detect cross-repo auth failures. - Branched the failure summary/
setFailedmessage to surfaceGH_AW_GITHUB_TOKENremediation when a cross-repo 401/403/404 was observed. - Added a new test block (8 cases) covering 401/403/404 cross-repo guidance, summary content, same-repo and statusless-error negative cases, and local-fallback success.
Show a summary per file
| File | Description |
|---|---|
| actions/setup/js/check_workflow_timestamp_api.cjs | Inlines lock-file fetch, records cross-repo auth failures, and switches the final error/summary text accordingly. |
| actions/setup/js/check_workflow_timestamp_api.test.cjs | Adds regression tests for the new cross-repo auth failure guidance behavior. |
| .github/workflows/daily-model-inventory.lock.yml | Regenerated heredoc delimiter hashes plus a trailing newline; appears to be an unrelated recompile artifact. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 0
| // Track whether a cross-repo API auth failure was the root cause of the hash check failure. | ||
| // Used to surface targeted remediation guidance instead of the generic "run gh aw compile" message. | ||
| // Set inside compareFrontmatterHashes() when an HTTP 401/403/404 is returned for a cross-repo fetch. | ||
| let crossRepoAuthFailure = null; |
There was a problem hiding this comment.
Done — crossRepoAuthFailure is no longer an outer variable mutated by a closure. compareFrontmatterHashes() now returns { result, crossRepoAuthFailure } and the call site destructures it: const { result: hashComparison, crossRepoAuthFailure } = await compareFrontmatterHashes(); (commit 783a6b3~1 → latest).
…nstead of outer variable Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
✅ Smoke OTEL Backends completed successfully! |
|
💫 TO BE CONTINUED... Smoke Claude failed to deliver outputs! Our hero faces unexpected challenges... |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
✅ Smoke OTEL — OTEL telemetry verified |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ Caution agentic threat detected Smoke test in progress |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 11/12 tools available Overall Status: FAIL —
|
Smoke Test: Copilot - 25953762391 ✅ PASS
Author: Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
This refactor cleanly encapsulates crossRepoAuthFailure inside compareFrontmatterHashes() and returns it as part of a structured result. The code is easier to reason about, and the cross-repo auth guidance path is now clearly separated from the normal hash comparison logic.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · ● 12.6M
| // code for cross-repo auth failure detection: the caller's GITHUB_TOKEN is repo-scoped and | ||
| // cannot read from a private callee repo, returning 404/401/403. | ||
| let lockFileContent = null; | ||
| let crossRepoAuthFailure = null; |
There was a problem hiding this comment.
Good scoping fix — moving crossRepoAuthFailure inside compareFrontmatterHashes() keeps the variable closer to where it is mutated, making the control flow easier to follow.
| if (!lockFileContent) { | ||
| core.info("Unable to fetch lock file content for hash comparison via API, trying local filesystem fallback"); | ||
| return await compareFrontmatterHashesFromLocalFiles(); | ||
| return { result: await compareFrontmatterHashesFromLocalFiles(), crossRepoAuthFailure }; |
There was a problem hiding this comment.
The structured return { result, crossRepoAuthFailure } is a clear improvement — callers can now distinguish between a null result and an auth failure without relying on side-channel outer variables.
|
Smoke Test: Claude — 25953762282 — Overall: Core #1-12: 1✅ 2✅ 3 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · ● 5.9M
| // result — { match, storedHash, recomputedHash } | null | ||
| // crossRepoAuthFailure — { status, repo } when a cross-repo 401/403/404 was the root cause, else null | ||
| async function compareFrontmatterHashes() { | ||
| try { |
There was a problem hiding this comment.
Smoke test note: consider adding a unit test for this code path. 🤖
| try { | ||
| const response = await github.rest.repos.getContent({ | ||
| owner, | ||
| repo, |
There was a problem hiding this comment.
Smoke test note: consider logging context info here for easier debugging. 🛰️
|
Commit pushed:
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
Please address the unresolved review feedback, especially the global-variable and unit-test notes.
|
|
Please refresh the branch if needed, rerun checks, and post a brief update on the remaining blocker(s).
|
|
Please address unresolved review feedback and propose fixes. — pr-sous-chef (run: https://github.com/github/gh-aw/actions/runs/25956153961)
|
|
Quick nudge:
|
|
@copilot do not inline getFileContent, instead expose the status code in result so that you avoid duplicate code |
… API call Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done. |
The |
When
workflow_calltargets a private callee repo, the caller'sGITHUB_TOKENis repo-scoped and returns 404 from the callee's Contents API. Previously this fell through togetFileContent()(which discards errors), then to the misleading "lock file is outdated — rungh aw compile" error. Recompiling does nothing to fix an auth gap.Changes
check_workflow_timestamp_api.cjsgetContentcall incompareFrontmatterHashes(), replacing thegetFileContent()helper call so the HTTP status is visible.workflowRepo !== currentRepo, recordscrossRepoAuthFailure = { status, repo }and logs immediately:hashComparisonis null andcrossRepoAuthFailureis set, the step summary andsetFailedmessage now emit actionableGH_AW_GITHUB_TOKENguidance instead ofgh aw compile.Preserved behaviour
.status(e.g."Resource not accessible by integration") → unchanged "outdated or unverifiable" path.stale_lock_file_failedoutput is still set on all failure paths.Tests (
check_workflow_timestamp_api.test.cjs)New
cross-repo private callee auth failure guidancedescribe block (8 tests): HTTP 404/401/403 guidance messages, summary content,stale_lock_file_failedoutput, no guidance for generic/statusless errors, no guidance for same-repo 404, local-fallback success despite API 404.✨ PR Review Safe Output Test - Run 25953762282
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.
Changeset
GH_AW_GITHUB_TOKENguidance when a private cross-repo callee cannot be read by the caller'sGITHUB_TOKEN.pr-sous-chef: attempted branch update (run: https://github.com/github/gh-aw/actions/runs/25956153961)