From ecf317311cf88796f2138b176a2521eb22fd5cf7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 3 Apr 2026 22:43:33 +0000
Subject: [PATCH] fix: handle SIGPIPE in Fetch PR changed files step to prevent
 missing delimiter error

When the PR diff exceeds 8000 bytes, `gh api ... | head -c 8000` causes
SIGPIPE (exit 141) on the gh api process. GitHub Actions bash uses
`-eo pipefail`, so the pipeline failure aborts the subshell before
writing the closing heredoc delimiter to GITHUB_OUTPUT, resulting in:

  ##[error]Invalid value. Matching delimiter not found 'GHAW_PR_FILES_...'

Fix: add `|| true` after `head -c 8000` to swallow the SIGPIPE/pipefail
error, ensuring the closing delimiter is always written to GITHUB_OUTPUT.

Fixes failing job: https://github.com/github/gh-aw-firewall/actions/runs/23964770751/job/69902358339

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/c8b8f958-f52e-4390-af7d-f094e20e68da

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
---
 .github/workflows/security-guard.lock.yml | 2 +-
 .github/workflows/security-guard.md       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml
index 1db6ed79..10908cdc 100644
--- a/.github/workflows/security-guard.lock.yml
+++ b/.github/workflows/security-guard.lock.yml
@@ -313,7 +313,7 @@ jobs:
         id: pr-diff
         if: github.event.pull_request.number
         name: Fetch PR changed files
-        run: "DELIM=\"GHAW_PR_FILES_$(date +%s)\"\n{\n  echo \"PR_FILES<<${DELIM}\"\n  gh api \"repos/${GH_REPO}/pulls/${PR_NUMBER}/files\" \\\n    --paginate --jq '.[] | \"### \" + .filename + \" (+\" + (.additions|tostring) + \"/-\" + (.deletions|tostring) + \")\\n\" + (.patch // \"\") + \"\\n\"' \\\n    | head -c 8000\n  echo \"${DELIM}\"\n} >> \"$GITHUB_OUTPUT\"\n"
+        run: "DELIM=\"GHAW_PR_FILES_$(date +%s)\"\n{\n  echo \"PR_FILES<<${DELIM}\"\n  gh api \"repos/${GH_REPO}/pulls/${PR_NUMBER}/files\" \\\n    --paginate --jq '.[] | \"### \" + .filename + \" (+\" + (.additions|tostring) + \"/-\" + (.deletions|tostring) + \")\\n\" + (.patch // \"\") + \"\\n\"' \\\n    | head -c 8000 || true\n  echo \"${DELIM}\"\n} >> \"$GITHUB_OUTPUT\"\n"
 
       - name: Configure Git credentials
         env:
diff --git a/.github/workflows/security-guard.md b/.github/workflows/security-guard.md
index 240f2ec6..389bbf1f 100644
--- a/.github/workflows/security-guard.md
+++ b/.github/workflows/security-guard.md
@@ -32,7 +32,7 @@ steps:
         echo "PR_FILES<<${DELIM}"
         gh api "repos/${GH_REPO}/pulls/${PR_NUMBER}/files" \
           --paginate --jq '.[] | "### " + .filename + " (+" + (.additions|tostring) + "/-" + (.deletions|tostring) + ")\n" + (.patch // "") + "\n"' \
-          | head -c 8000
+          | head -c 8000 || true
         echo "${DELIM}"
       } >> "$GITHUB_OUTPUT"
     env: