Conversation
There was a problem hiding this comment.
Pull request overview
Fixes the smoke-services workflow so it can actually validate host service port access by starting required GitHub Actions service containers (Redis/PostgreSQL) and using the narrower --allow-host-service-ports flag in the agent sandbox.
Changes:
- Add a GitHub Actions
services:block to thesmoke-servicesagent job for Redis (6379) and PostgreSQL (5432), including health checks. - Replace
--enable-host-accesswith--allow-host-service-ports 6379,5432in the agent job’sawfinvocation. - Extend
postprocess-smoke-workflows.tsto re-apply these workflow adjustments after recompilation from the.mdsource.
Show a summary per file
| File | Description |
|---|---|
scripts/ci/postprocess-smoke-workflows.ts |
Adds smoke-services-specific post-processing to inject services: and rewrite the awf host-access flag in the compiled lock workflow. |
.github/workflows/smoke-services.lock.yml |
Adds Redis/PostgreSQL services: to the agent job and swaps --enable-host-access for --allow-host-service-ports 6379,5432. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
| if (!agentJobHostServicePortsRegex.test(content)) { | ||
| if (agentJobEnableHostAccessRegex.test(content)) { | ||
| const matchCount = (content.match(agentJobEnableHostAccessRegex) || []).length; | ||
| if (matchCount > 1) { | ||
| console.warn( | ||
| ` WARNING: Found ${matchCount} matches for agent job --enable-host-access pattern. ` + | ||
| `Only the first will be replaced. Manual review recommended.` | ||
| ); |
There was a problem hiding this comment.
matchCount is computed via content.match(agentJobEnableHostAccessRegex).length, but since the regex is non-global this returns the length of the match array (full match + capture groups), not the number of occurrences. With two capture groups, this will always be 3 on a single match and will always trigger the “multiple matches” warning incorrectly. Use a global regex (or matchAll) for counting occurrences, or remove the count/warning if the pattern is guaranteed unique.
| // in single quotes (the detection job uses a shorter unquoted domain list). We use | ||
| // a non-greedy match anchored to --build-local to avoid cross-line over-matching. |
There was a problem hiding this comment.
The comment says the --allow-domains ... match is “non-greedy”, but the regex uses [^\n]* which is greedy. Either make the quantifier non-greedy (to match the comment) or update the comment so future readers aren’t misled about how much of the command line can be consumed by the pattern.
| // in single quotes (the detection job uses a shorter unquoted domain list). We use | |
| // a non-greedy match anchored to --build-local to avoid cross-line over-matching. | |
| // in single quotes (the detection job uses a shorter unquoted domain list). We match | |
| // only within a single line and bound the match with the later --build-local flag to | |
| // avoid cross-line over-matching. |
|
@copilot apply changes based on the comments in this thread |
…ces regex" Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/66779f5a-5f09-4a5a-ad70-18101d2c76ce Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Fixed in 367f53c:
|
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
|
Smoke test results — run 24055842277 ✅ GitHub MCP: #1722 "feat: propagate host.docker.internal to child containers", #1721 "fix: enforce shared net namespace for child containers" Overall: PASS
|
Smoke Test Results
PR: fix(smoke-services): add GitHub Actions services block and use --allow-host-service-ports Overall: PARTIAL — MCP ✅, pre-step smoke data missing (workflow outputs not populated)
|
Smoke Test: GitHub Actions Services Connectivity
All checks passed. (
|
|
Smoke test results:
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
The smoke-services workflow could never succeed: no GitHub Actions
services:block existed to start Redis or PostgreSQL, and the AWF sandbox used--enable-host-access(broad) instead of--allow-host-service-ports(the flag the workflow is supposed to validate).Changes
smoke-services.lock.yml— agent job: Addservices:block with Redis 7-alpine (6379) and PostgreSQL 15-alpine (5432), each with health checks. Replace--enable-host-accesswith--allow-host-service-ports 6379,5432in the AWF invocation. The detection job retains--enable-host-access.postprocess-smoke-workflows.ts: Add smoke-services-specific post-processing so both changes survive recompiles from the.mdsource (idempotent; warns if expected patterns are missing). The--allow-host-service-portsreplacement is scoped to the agent job via a regex anchored to the long single-quoted--allow-domainslist, which is unique to that job.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/repos/github/gh-aw-firewall/actions/artifacts/6294810963/zip/usr/bin/gh gh api repos/github/gh-aw-firewall/actions/artifacts/6294810963/zip --header Accept: application/vnd.github+json(http block)https://api.github.com/repos/github/gh-aw-firewall/actions/runs/24052321097/artifacts/usr/bin/gh gh run download 24052321097 --repo github/gh-aw-firewall --name agent --dir /tmp/agent-logs-run(http block)If you need me to access, download, or install something from one of these locations, you can either: