Fix SIGTERM propagation to AWF process for timeout-minutes enforcement by Copilot · Pull Request #24013 · github/gh-aw

Copilot · 2026-04-02T04:25:33Z

timeout-minutes on the agent step is not enforced because the cmd 2>&1 | tee -a logfile pipeline blocks SIGTERM: tee doesn't forward signals upstream and sudo may intercept before awf receives them.

Changes

pkg/workflow/awf_helpers.go — BuildAWFCommand() now generates a shell script that:
- Uses a named FIFO (mkfifo) instead of a pipe or process substitution, so awf and tee are independent background processes with separately captured PIDs
- Sends kill -TERM -- -"$_awf_pid" (process group kill) in the TERM/INT trap, ensuring the signal reaches awf even when sudo intercepts the initial delivery
- Waits on both $_awf_pid (awf/sudo) and $_awf_tee_pid (tee) independently, so logging failures (e.g. disk full) are detected and fail the step
- Preserves the awf exit code via _awf_exit and passes it to the final exit
Golden files + 179 lock files — recompiled to reflect new script shape

Generated script (before → after)

Before:

set -o pipefail
touch /tmp/gh-aw/agent-step-summary.md
# shellcheck disable=SC1003
sudo -E awf ... \
  -- /bin/bash -c '...' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log

After:

set -o pipefail
touch /tmp/gh-aw/agent-step-summary.md
# Signal forwarding: capture AWF PID to relay SIGTERM/SIGINT on timeout.
# kill -TERM -- -$pid sends to the whole process group, reaching awf even
# when sudo does not forward the signal.
_awf_log=$(mktemp -u)
mkfifo "$_awf_log"
_awf_pid="" _awf_tee_pid=""
_awf_terminate() {
  [ -n "$_awf_pid" ] && kill -TERM -- -"$_awf_pid" 2>/dev/null || true
}
trap '_awf_terminate' TERM INT
tee -a /tmp/gh-aw/agent-stdio.log < "$_awf_log" &
_awf_tee_pid=$!
# shellcheck disable=SC1003
sudo -E awf ... \
  -- /bin/bash -c '...' > "$_awf_log" 2>&1 &
_awf_pid=$!
wait "$_awf_pid"; _awf_exit=$?
wait "$_awf_tee_pid"
rm -f "$_awf_log"
exit "$_awf_exit"

[!WARNING]

…substitution and add SIGTERM trap The original `cmd 2>&1 | tee -a logfile` pipeline breaks SIGTERM delivery when GitHub Actions enforces timeout-minutes. The runner sends SIGTERM to the shell, but tee does not forward it upstream to awf, and sudo may also intercept the signal. The fix uses two techniques: 1. Process substitution (> >(tee -a)) instead of a pipe so that awf is the foreground process and its PID can be captured. 2. An explicit SIGTERM/SIGINT trap that kills the captured AWF PID, ensuring the signal reaches awf even when sudo intercepts it. Updated wasm golden test files and recompiled all 179 workflow lock files. Fixes: #23965 Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e0e3e49b-8af7-4519-a71b-2748d64cffcc Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

pelikhan · 2026-04-02T04:51:51Z

@lpcox maybe we should have a job level timeout as well.

Copilot

Pull request overview

This PR fixes timeout-minutes enforcement for agent steps by changing how the AWF-wrapped engine command is executed and logged, ensuring SIGTERM/SIGINT can be relayed to the AWF process rather than being swallowed by a | tee pipeline and/or sudo.

Changes:

Update BuildAWFCommand() to replace 2>&1 | tee -a ... with process substitution > >(tee -a ...) 2>&1, and add a TERM/INT trap that attempts to terminate the captured PID.
Regenerate workflow lock files to reflect the new generated shell script shape.
Update WASM golden fixtures to match the new generated script.

Reviewed changes

Copilot reviewed 157 out of 182 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/workflow/awf_helpers.go	Generates a different bash script for AWF execution to improve SIGTERM/SIGINT propagation under timeouts.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden	Updates golden output for the new AWF execution/trap script.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates golden output for the new AWF execution/trap script.
.github/workflows/workflow-health-manager.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/workflow-generator.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/weekly-blog-post-writer.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/test-workflow.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/test-project-url-default.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/test-dispatcher.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/terminal-stylist.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/super-linter.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/sub-issue-closer.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/security-review.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/security-compliance.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/repository-quality-improver.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/repo-tree-map.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/repo-audit-analyzer.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/refiner.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/q.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/pr-triage-agent.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/pr-nitpick-reviewer.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/plan.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/pdf-summary.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/notion-issue-summary.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/metrics-collector.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/jsweep.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/issue-triage-agent.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/issue-monster.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/gpclean.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/firewall.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/example-permissions-warning.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/dictation-prompt.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/dev.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/dependabot-go-checker.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/dependabot-burner.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/dead-code-remover.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/daily-team-status.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/daily-semgrep-scan.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/daily-secrets-analysis.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/daily-regulatory.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/daily-cli-tools-tester.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/daily-cli-performance.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/daily-assign-issue-to-user.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/daily-architecture-diagram.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/craft.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/contribution-check.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/constraint-solving-potd.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/code-simplifier.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/code-scanning-fixer.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/ci-coach.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/changeset.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/brave.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/bot-detection.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/archie.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/ai-moderator.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/agentic-observability-kit.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/agent-persona-explorer.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/agent-performance-analyzer.lock.yml	Regenerated to use process substitution + trap/wait pattern.
.github/workflows/ace-editor.lock.yml	Regenerated to use process substitution + trap/wait pattern.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-04-02T05:13:10Z

pkg/workflow/awf_helpers.go

+	const awfSignalTrap = `# Signal forwarding: capture AWF PID to relay SIGTERM/SIGINT on timeout.
+# Without this, the pipe (| tee) and sudo intercept the signal before awf
+# receives it, so GitHub Actions timeout-minutes is not enforced.
+_awf_pid=""
+_awf_terminate() { [ -n "$_awf_pid" ] && kill -TERM "$_awf_pid" 2>/dev/null || true; }
+trap '_awf_terminate' TERM INT`


The signal trap kills $_awf_pid, but with sudo -E awf ... & $! will typically be the PID of sudo, not the actual awf process (sudo often forks/execs the target). In that case, kill -TERM "$ _awf_pid" may terminate sudo while leaving awf running, which would still prevent timeout-minutes from being enforced. Consider sending the signal to the whole process group (e.g., kill -TERM -- -"$_awf_pid") or otherwise ensuring the PID you capture is the one that will reliably terminate awf.

Copilot · 2026-04-02T05:13:10Z

pkg/workflow/awf_helpers.go

+	//   1. Process substitution (> >(tee -a)) instead of a pipe so that awf
+	//      is the foreground process and its PID can be captured.
+	//   2. An explicit SIGTERM/SIGINT trap that kills the captured AWF PID,
+	//      ensuring the signal reaches awf even when sudo intercepts it.


The rationale comment says process substitution makes awf the “foreground process”, but the generated command backgrounds it (... 2>&1 &) and then waits. This is a bit misleading for future readers (and could affect how signals/TTY behavior is reasoned about). Suggest rewording the comment to emphasize “not in a pipe / PID can be captured” rather than “foreground process”.

Copilot · 2026-04-02T05:13:10Z

pkg/workflow/awf_helpers.go

 		command = fmt.Sprintf(`set -o pipefail
 %s
+%s
 # shellcheck disable=SC1003
 %s %s %s \
-  -- %s 2>&1 | tee -a %s`,
+  -- %s > >(tee -a %s) 2>&1 &
+_awf_pid=$!
+wait "$_awf_pid"`,


Switching from a pipe to process substitution means the script no longer observes tee’s exit status. Previously, set -o pipefail would fail the step if tee -a failed (disk full/permission issues), but now wait "$_awf_pid" only reflects the awf/sudo exit code and logging failures could go unnoticed. If log capture is still expected to be reliable, consider a pattern that can also wait/check tee (e.g., FIFO + background tee with captured PID) or document that tee failures are intentionally ignored.

pelikhan · 2026-04-02T05:20:24Z

@copilot review comments

…ect tee failures via FIFO - Use `kill -TERM -- -"$_awf_pid"` to signal the whole process group, ensuring awf is reached even when sudo intercepts the initial SIGTERM - Replace process substitution with a FIFO so both awf and tee PIDs can be tracked and waited on — tee failures (e.g. disk full) now fail the step - Fix comment: "foreground process" → "not in a pipe / PID can be captured" (the command is backgrounded with & and waited on) Recompiled all 179 lock files and updated wasm golden fixtures. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/be54e6d4-adb2-4bb9-9a99-72d2c3434477 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-04-02T05:28:25Z

@copilot review comments

Addressed all three review comments in 1fe2d5f:

Process group kill: Changed kill -TERM "$_awf_pid" → kill -TERM -- -"$_awf_pid" to signal the whole process group, so awf is reached even when sudo intercepts the initial delivery.
Misleading comment: Fixed "foreground process" → explains that the command is backgrounded with & and waited on — the point is that awf is not bound inside a pipe, so its PID can be captured independently.
tee exit status: Replaced process substitution with a named FIFO (mkfifo). tee runs as a separate background process with $_awf_tee_pid captured, then both wait "$_awf_pid" and wait "$_awf_tee_pid" are called. If tee fails, the step now fails.

Generated script shape:

_awf_log=$(mktemp -u)
mkfifo "$_awf_log"
_awf_pid="" _awf_tee_pid=""
_awf_terminate() {
  [ -n "$_awf_pid" ] && kill -TERM -- -"$_awf_pid" 2>/dev/null || true
}
trap '_awf_terminate' TERM INT
tee -a /tmp/gh-aw/agent-stdio.log < "$_awf_log" &
_awf_tee_pid=$!
sudo -E awf ... > "$_awf_log" 2>&1 &
_awf_pid=$!
wait "$_awf_pid"; _awf_exit=$?
wait "$_awf_tee_pid"
rm -f "$_awf_log"
exit "$_awf_exit"

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --local .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 4610086/b066/vetjs/fuzz_sanitize_output_harness.cjs .cfg git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --local ache/go/1.25.0/x64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git .egg pull.rebase ache/go/1.25.0/x64/pkg/tool/linu--show-toplevel git (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build4224610086/b188/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha get --local 64/pkg/tool/linux_amd64/compile committer.name (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -stringintconv -tests /usr/bin/git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha 4610086/b001/_pkg_.a -trimpath 4610086/b001=> -p github.com/davecrev-parse -lang=go1.16 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� RsqL/JPr9FPAicaVHg36rRsqL /tmp/go-build4224610086/b092/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -c=4 -nolocalimports -importcfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -unreachable=false /tmp/go-build4224610086/b013/vet.cfg 4610086/b280/vet.cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -unreachable=false /tmp/go-build4224610086/b012/vet.cfg 4610086/b275/vet.cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -unreachable=false /tmp/go-build4224610086/b016/vet.cfg 4610086/b245/vet.cfg (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha t0 0s smGolden_CompileFixtures|TestBuildAWF|TestCopilot.*Execution|TestCodex.*Execution|TestClaude.*Ex--show-toplevel (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha 4610086/b001/workflow.test -trimpath 4610086/b001/importcfg.link -p github.com/stretrev-parse -lang=go1.17 2ifkeEZGO2rhm/JPr9FPAicaVHg36rRsqL/a8_d2ag39lRA-fD4c_Ir/RpFpU482ifkeEZGO2rhm -uns�� ry=1 /tmp/go-build4224610086/b097/vet.cfg 4610086/b001/_pkg_.a -c=4 -nolocalimports -importcfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 4610086/b144/vetjs/fuzz_sanitize_output_harness.cjs ache/go/1.25.0/x64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/gh --verify copilot/investigimage lsb_release gh (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -unreachable=falgit /tmp/go-build422-C /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } -unreachable=faldocker /tmp/go-build422image /usr/local/bin/iinspect basename (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git --local committer.email ache/go/1.25.0/x64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git copilot/investiggit (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --noprofile (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet $name) { hasDiscussionsEnabled } } se 4610086/b227/vet-1 systemd-run git rev-�� --show-toplevel bash /usr/bin/git linuxagent-logcogit (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan · 2026-04-02T05:30:00Z

@copilot merge main and recompile

…ignal-propagation-path # Conflicts: # .github/workflows/ai-moderator.lock.yml # .github/workflows/changeset.lock.yml # .github/workflows/ci-doctor.lock.yml # .github/workflows/codex-github-remote-mcp-test.lock.yml # .github/workflows/daily-fact.lock.yml # .github/workflows/daily-issues-report.lock.yml # .github/workflows/daily-observability-report.lock.yml # .github/workflows/duplicate-code-detector.lock.yml # .github/workflows/grumpy-reviewer.lock.yml # .github/workflows/issue-arborist.lock.yml # .github/workflows/schema-feature-coverage.lock.yml # .github/workflows/smoke-agent-all-merged.lock.yml # .github/workflows/smoke-agent-all-none.lock.yml # .github/workflows/smoke-agent-public-approved.lock.yml # .github/workflows/smoke-agent-public-none.lock.yml # .github/workflows/smoke-agent-scoped-approved.lock.yml # .github/workflows/smoke-call-workflow.lock.yml # .github/workflows/smoke-codex.lock.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ac282fd9-3a60-4964-8f24-0ecf2725dc38 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-04-02T05:36:04Z

@copilot merge main and recompile

Done in 6b9c6d6. Merged origin/main (resolved 18 lock file conflicts), rebuilt the binary, and recompiled all 179 workflow lock files.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw gpg.program /home/REDACTED/.lo--show-toplevel git rev-�� --show-toplevel git /usr/bin/git ithub/workflows (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build1487557801/b049/vet.cfg 7557801/b319/vet.cfg (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet remote.origin.urgit (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha json' --ignore-p-errorsas pull.rebase /usr/bin/git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git js/**/*.json' --git --local bash git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git k/gh-aw/gh-aw/.ggit (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha npx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha prettier --write /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet !../../../pkg/wogit --ignore-path ../../../.pretti--show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build1487557801/b060/vet.cfg 7557801/b304/vet.cfg ignore-path ../.git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git ithub/workflows .git/COMMIT_EDITrev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git */*.ts' '**/*.jsgit config x_amd64/vet git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha npx prettier --write '../../../**/*.json' '!../../../pkg/workflo-errorsas (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --write ache/go/1.25.0/x64/src/testing/internal/testdeps/deps.go 7557801/b153/vet.cfg --ignore-path ../../../.prettirev-parse git /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build1487557801/b010/vet.cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha prettier --write 7557801/b150/vet.cfg !../../../pkg/wogit --ignore-path ../../../.pretti--show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build1487557801/b052/vet.cfg 7557801/b303/vet.cfg ignore-path ../.git (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha npx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha npx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha npx prettier --write '../../../**/*.json' '!../../../pkg/workflo-errorsas (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet nore (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha k/gh-aw/gh-aw/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet nore (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git get --local (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha get --local me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } commit.gpgsign (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha js/**/*.json' --ignore-path ../../../.prettierignore --local repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } commit.gpgsign (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan · 2026-04-02T10:27:07Z

@lpcox @Mossaka fix looks very ugly

github-actions · 2026-04-02T13:22:48Z

Hey @Copilot 👋 — great work on this SIGTERM propagation fix! Addressing the timeout-minutes enforcement gap caused by tee blocking signal delivery is a meaningful reliability improvement, and the FIFO-based approach cleanly decouples awf and tee as independent processes with separately tracked PIDs.

The PR is well-structured, includes a thorough before/after script comparison, and the golden test files and 179 regenerated lock files all look like expected artifacts of the template change. This is exactly the kind of core infrastructure improvement the project benefits from.

This PR looks ready for maintainer review. ✅

Generated by Contribution Check · ◷

Mossaka · 2026-04-02T22:06:35Z

I think the right fix should be in awf: github/gh-aw-firewall#1623

Initial plan

d1fd777

Copilot AI assigned Copilot and pelikhan Apr 2, 2026

Copilot started work on behalf of pelikhan April 2, 2026 04:28 View session

Copilot AI linked an issue Apr 2, 2026 that may be closed by this pull request

[plan] Investigate signal propagation path in AWF agent step (sudo + pipe + Docker PID namespace) #23967

Open

4 tasks

Copilot AI changed the title ~~[WIP] Investigate signal propagation path in AWF agent step~~ Fix SIGTERM propagation to AWF process for timeout-minutes enforcement Apr 2, 2026

Copilot finished work on behalf of pelikhan April 2, 2026 04:52

Copilot AI requested a review from pelikhan April 2, 2026 04:52

pelikhan marked this pull request as ready for review April 2, 2026 05:08

Copilot AI review requested due to automatic review settings April 2, 2026 05:08

Copilot started reviewing on behalf of pelikhan April 2, 2026 05:10 View session

Copilot AI reviewed Apr 2, 2026

View reviewed changes

Copilot started work on behalf of pelikhan April 2, 2026 05:20 View session

Copilot finished work on behalf of pelikhan April 2, 2026 05:29

Copilot started work on behalf of pelikhan April 2, 2026 05:30 View session

Copilot AI and others added 2 commits April 2, 2026 05:34

Merge main and recompile all lock files

6b9c6d6

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/ac282fd9-3a60-4964-8f24-0ecf2725dc38 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot finished work on behalf of pelikhan April 2, 2026 05:36

github-actions bot mentioned this pull request Apr 2, 2026

[aw] No-Op Runs #23927

Open

github-actions bot added the lgtm label Apr 2, 2026

This comment has been minimized.

Sign in to view

github-actions bot mentioned this pull request Apr 2, 2026

[Contribution Check Report] Contribution Check — 2026-04-02 #23991

Open

This was referenced Apr 2, 2026

fix: Gemini CLI exits 41 in AWF sandbox — missing API key and ~/.gemini dir #23695

Draft

Smoke Test: Copilot ARM64 - 23896090657 #24050

Closed

This was referenced Apr 2, 2026

Smoke Test: Copilot - 23913046061 #24149

Closed

[PR Triage Report] PR Triage Report - 2026-04-02 #24153

Open

pelikhan closed this Apr 2, 2026

Conversation

Copilot AI commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Generated script (before → after)

Uh oh!

pelikhan commented Apr 2, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

Uh oh!

pelikhan commented Apr 2, 2026

Uh oh!

Copilot AI commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Apr 2, 2026

Uh oh!

Copilot AI commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

This comment has been minimized.

pelikhan commented Apr 2, 2026

Uh oh!

github-actions bot commented Apr 2, 2026

Uh oh!

Mossaka commented Apr 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Copilot AI commented Apr 2, 2026 •

edited

Loading

Copilot AI commented Apr 2, 2026 •

edited

Loading

Copilot AI commented Apr 2, 2026 •

edited

Loading