fix: add auth and error handling to build-test workflows#514
Conversation
- Add env.GH_TOKEN using GH_AW_GITHUB_MCP_SERVER_TOKEN secret
- Change git clone to gh repo clone (uses GH_TOKEN automatically)
- Add explicit failure handling instructions in prompts
- Workflows fail visibly when clone/build/test fails
Affected workflows: build-test-{java,rust,node,go,cpp,deno,bun}
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
✅ Coverage Check PassedOverall Coverage
Coverage comparison generated by |
❌ C++ Build Test: CLONE FAILEDError: Unable to clone test repository Details: Possible causes:
Action required: Verify the test repository exists and is accessible before re-running this workflow.
|
Smoke Test: Claude Engine ✅ PASSLast 2 Merged PRs:
Test Results:
Overall Status: PASS
|
Build Test: Node.js - FAILED ❌Status: Clone operation failed Error: Unable to clone test repository Action Required: Verify that the test repository exists and is accessible.
|
Smoke Test ResultsLast 2 merged PRs:
Test Results:
Status: PASS cc: @Mossaka
|
There was a problem hiding this comment.
Pull request overview
This pull request addresses authentication issues in build-test workflows that were causing silent failures when cloning test repositories. The PR adds GitHub token authentication and explicit error handling to ensure workflows fail visibly when operations cannot complete.
Changes:
- Added
GH_TOKENenvironment variable usingGH_AW_GITHUB_MCP_SERVER_TOKENsecret to all build-test workflows - Changed from
git clonetogh repo clonecommand for repository cloning - Added explicit error handling instructions with calls to error reporting tool when clone/build/test operations fail
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/build-test-rust.md | Added GH_TOKEN env, updated clone command to gh repo clone, added error handling section |
| .github/workflows/build-test-rust.lock.yml | Auto-generated with updated frontmatter hash and env section |
| .github/workflows/build-test-node.md | Added GH_TOKEN env, updated clone command to gh repo clone, added error handling section |
| .github/workflows/build-test-node.lock.yml | Auto-generated with updated frontmatter hash and env section |
| .github/workflows/build-test-java.md | Added GH_TOKEN env, updated clone command to gh repo clone, added error handling section |
| .github/workflows/build-test-java.lock.yml | Auto-generated with updated frontmatter hash and env section |
| .github/workflows/build-test-go.md | Added GH_TOKEN env, updated clone command to gh repo clone, added error handling section |
| .github/workflows/build-test-go.lock.yml | Auto-generated with updated frontmatter hash and env section |
| .github/workflows/build-test-deno.md | Added GH_TOKEN env, updated clone command to gh repo clone, added error handling section |
| .github/workflows/build-test-deno.lock.yml | Auto-generated with updated frontmatter hash and env section |
| .github/workflows/build-test-cpp.md | Added GH_TOKEN env, updated clone command to gh repo clone, added error handling section |
| .github/workflows/build-test-cpp.lock.yml | Auto-generated with updated frontmatter hash and env section |
| .github/workflows/build-test-bun.md | Added GH_TOKEN env, updated clone command to gh repo clone, added error handling section |
| .github/workflows/build-test-bun.lock.yml | Auto-generated with updated frontmatter hash and env section |
Comments suppressed due to low confidence (7)
.github/workflows/build-test-go.md:51
- The tool name
safeoutputs-missing_toolis incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simplymissing_tool. This instruction should be: "If clone fails, immediately callmissing_toolwith reason 'CLONE_FAILED: Unable to clone test repository' and stop execution".
- **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
.github/workflows/build-test-rust.md:80
- The tool name
safeoutputs-missing_toolis incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simplymissing_tool. Update all references in this Error Handling section to usemissing_toolinstead ofsafeoutputs-missing_tool.
1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
.github/workflows/build-test-node.md:51
- The tool name
safeoutputs-missing_toolis incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simplymissing_tool. This instruction should be: "If clone fails, immediately callmissing_toolwith reason 'CLONE_FAILED: Unable to clone test repository' and stop execution".
- **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
.github/workflows/build-test-deno.md:85
- The tool name
safeoutputs-missing_toolis incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simplymissing_tool. Update all references in this Error Handling section to usemissing_toolinstead ofsafeoutputs-missing_tool.
1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
2. **Deno install failure**: Call `safeoutputs-missing_tool` with "DENO_INSTALL_FAILED: [error message]"
.github/workflows/build-test-java.md:80
- The tool name
safeoutputs-missing_toolis incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simplymissing_tool. Update all references in this Error Handling section to usemissing_toolinstead ofsafeoutputs-missing_tool.
1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
.github/workflows/build-test-cpp.md:47
- The tool name
safeoutputs-missing_toolis incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simplymissing_tool. This instruction should be: "If clone fails, immediately callmissing_toolwith reason 'CLONE_FAILED: Unable to clone test repository' and stop execution".
- **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
.github/workflows/build-test-bun.md:84
- The tool name
safeoutputs-missing_toolis incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simplymissing_tool. Update all references in this Error Handling section to usemissing_toolinstead ofsafeoutputs-missing_tool.
1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
2. **Bun install failure**: Call `safeoutputs-missing_tool` with "BUN_INSTALL_FAILED: [error message]"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| 1. **Clone Repository**: `git clone https://github.com/Mossaka/gh-aw-firewall-test-java.git /tmp/test-java` | ||
| 1. **Clone Repository**: `gh repo clone Mossaka/gh-aw-firewall-test-java /tmp/test-java` | ||
| - **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution |
There was a problem hiding this comment.
The tool name safeoutputs-missing_tool is incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simply missing_tool. This instruction should be: "If clone fails, immediately call missing_tool with reason 'CLONE_FAILED: Unable to clone test repository' and stop execution".
|
|
||
| **CRITICAL**: This workflow MUST fail visibly when errors occur: | ||
|
|
||
| 1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]" |
There was a problem hiding this comment.
The tool name safeoutputs-missing_tool is incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simply missing_tool. Update all references in this Error Handling section to use missing_tool instead of safeoutputs-missing_tool.
| env: | ||
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} |
There was a problem hiding this comment.
After adding GH_TOKEN to the workflow environment (lines 43-44), the gh CLI will now be authenticated within the container. However, the auto-generated prompt around line 506 of this file still states "The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations." This creates a contradiction with the new instructions in the .md file that tell the agent to use gh repo clone. The file needs to be recompiled with updated logic that recognizes when GH_TOKEN is set and adjusts the authentication message accordingly.
| env: | |
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} | |
| env: {} |
|
|
||
| 1. **Clone Repository**: `git clone https://github.com/Mossaka/gh-aw-firewall-test-rust.git /tmp/test-rust` | ||
| 1. **Clone Repository**: `gh repo clone Mossaka/gh-aw-firewall-test-rust /tmp/test-rust` | ||
| - **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution |
There was a problem hiding this comment.
The tool name safeoutputs-missing_tool is incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simply missing_tool. This instruction should be: "If clone fails, immediately call missing_tool with reason 'CLONE_FAILED: Unable to clone test repository' and stop execution".
|
|
||
| **CRITICAL**: This workflow MUST fail visibly when errors occur: | ||
|
|
||
| 1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]" |
There was a problem hiding this comment.
The tool name safeoutputs-missing_tool is incorrect. According to the codebase conventions (see .github/aw/debug-agentic-workflow.md:192-193), safe-output tools should NOT have a "safeoutputs-" prefix. The correct tool name is simply missing_tool. Update all references in this Error Handling section to use missing_tool instead of safeoutputs-missing_tool.
| env: | ||
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} |
There was a problem hiding this comment.
After adding GH_TOKEN to the workflow environment (lines 43-44), the gh CLI will now be authenticated within the container. However, the auto-generated prompt around line 506 of this file still states "The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations." This creates a contradiction with the new instructions in the .md file that tell the agent to use gh repo clone. The file needs to be recompiled with updated logic that recognizes when GH_TOKEN is set and adjusts the authentication message accordingly.
| env: | ||
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} |
There was a problem hiding this comment.
After adding GH_TOKEN to the workflow environment (lines 43-44), the gh CLI will now be authenticated within the container. However, the auto-generated prompt around line 506 of this file still states "The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations." This creates a contradiction with the new instructions in the .md file that tell the agent to use gh repo clone. The file needs to be recompiled with updated logic that recognizes when GH_TOKEN is set and adjusts the authentication message accordingly.
| env: | ||
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} | ||
|
|
There was a problem hiding this comment.
After adding GH_TOKEN to the workflow environment (lines 43-44), the gh CLI will now be authenticated within the container. However, the auto-generated prompt around line 506 of this file still states "The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations." This creates a contradiction with the new instructions in the .md file that tell the agent to use gh repo clone. The file needs to be recompiled with updated logic that recognizes when GH_TOKEN is set and adjusts the authentication message accordingly.
| env: | |
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} |
| env: | ||
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} |
There was a problem hiding this comment.
After adding GH_TOKEN to the workflow environment (lines 43-44), the gh CLI will now be authenticated within the container. However, the auto-generated prompt around line 506 of this file still states "The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations." This creates a contradiction with the new instructions in the .md file that tell the agent to use gh repo clone. The file needs to be recompiled with updated logic that recognizes when GH_TOKEN is set and adjusts the authentication message accordingly.
| env: | ||
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} |
There was a problem hiding this comment.
After adding GH_TOKEN to the workflow environment (lines 43-44), the gh CLI will now be authenticated within the container. However, the auto-generated prompt around line 512 of this file still states "The gh CLI is NOT authenticated. Do NOT use gh commands for GitHub operations." This creates a contradiction with the new instructions in the .md file that tell the agent to use gh repo clone. The file needs to be recompiled with updated logic that recognizes when GH_TOKEN is set and adjusts the authentication message accordingly.
1 participant
Summary
env.GH_TOKENusingGH_AW_GITHUB_MCP_SERVER_TOKENsecret for repository cloninggit clonetogh repo clone(uses GH_TOKEN automatically)Problem
The build-test workflows were showing as "success" even when they couldn't clone the test repositories due to authentication issues. The workflows use
git clonedirectly which doesn't have access to GitHub credentials.Solution
GH_AW_GITHUB_MCP_SERVER_TOKENasGH_TOKENto the agent containergit clone https://...togh repo clone owner/repowhich automatically uses theGH_TOKENenvironment variablesafeoutputs-missing_toolwith clear error messages when clone failsAffected Workflows
Test Plan
🤖 Generated with Claude Code