Fix: Inject git identity env vars into AWF sandbox execution steps by Copilot · Pull Request #20056 · github/gh-aw

Copilot · 2026-03-08T12:22:10Z

In AWF sandbox mode, git config --global on the host writes to ~/.gitconfig, which is not mounted into the container. The first git commit fails with "Author identity unknown", causing agents to self-configure with their own identity.

Root cause

awf --env-all forwards environment variables but not host filesystem paths. Git env vars (GIT_AUTHOR_*, GIT_COMMITTER_*) take precedence over ~/.gitconfig and are properly forwarded into the container.

Changes

git_configuration_steps.go — Added getGitIdentityEnvVars() returning the four identity vars mirroring the github-actions[bot] values already used by generateGitConfigurationSteps()
All four engines (copilot, claude, codex, gemini) — When isFirewallEnabled, merge git identity vars into the execution step's env: block before user-customized vars (preserving override capability):

if isFirewallEnabled(workflowData) {
    maps.Copy(env, getGitIdentityEnvVars())
}

git_identity_env_test.go — Tests covering all four engines: vars present in sandbox mode, absent in non-sandbox mode
Golden files & lock files — Regenerated to reflect the new env vars in compiled workflows

The existing "Configure Git credentials" step is unchanged (defense-in-depth for host-side git ops).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go git conf�� --get remote.origin.url /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha erignore ache/go/1.25.0/xGO111MODULE e/git-remote-https 71001/b357/_pkg_git GO111MODULE 64/bin/go e/git-remote-https om/o�� om/owner/repo.git go /usr/bin/git ev4m/lsVyb6UlGuHgit GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /tmp/TestHashStability_SameInputSameOutput2675898169/001/stability-test.md s/test.md /usr/bin/git format:pkg-json --silent 64/bin/go git conf�� user.email test@example.com /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git iptables user.email test@example.comrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git add origin /opt/hostedtoolc--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE /home/REDACTED/go/bin/sh GOINSECURE GOMOD GOMODCACHE sh -c runs/20260308-123947-41598/test-4246528462/custom/workflows GOPROXY ache/node/24.14.0/x64/bin/node GOSUMDB GOWORK 64/bin/go sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha install --package-lock-only /usr/bin/git --get remote.origin.urrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/ls --show-toplevel sh /usr/bin/git r (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --git-dir 71001/b393/imporrev-parse /opt/hostedtoolcache/node/24.14.0/x64/bin/node che/go-build/bf/git GOPROXY 64/bin/go node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/audit-workflows.md /opt/hostedtoolcache/go/1.25.0/xGO111MODULE /usr/bin/gh /tmp/go-build460git -trimpath 64/bin/go gh (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env json' --ignore-path ../../../.pr**/*.json GO111MODULE node GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha ry=1 go 585841/b436/_pkg_.a ck '**/*.cjs' '*git GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/gh-aw-test-runs/20260308-123836-29875/test-205165759/.github/workflows rev-parse /opt/hostedtoolcache/node/24.14.0/x64/bin/node ck '**/*.cjs' '*git GO111MODULE 64/bin/go node /tmp�� /tmp/TestHashConsistency_GoAndJavaScript95541403/001/test-empty-frontmatter.md l (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel sh /opt/hostedtoolcache/node/24.14.0/x64/bin/node npx prettier --wgit gh 64/bin/go node /tmp�� /tmp/TestHashStability_SameInputSameOutput2675898169/001/stability-test.md sh /usr/bin/git "prettier" --wrigit git modules/@npmcli/--show-toplevel git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build987585841/b389/importcfg -pack /tmp/go-build987585841/b389/_testmain.go env 71001/b406/_pkg_GOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/slic-atomic GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha b136a0101c461533GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD erignore ache/go/1.25.0/xGO111MODULE env 71001/b419/_pkg_GOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/scripts GOMODCACHE go (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel -tests /tmp/go-build987585841/b416/sliceutil.test ck '**/*.cjs' '*git GO111MODULE 64/bin/go /tmp/go-build987585841/b416/sliceutil.test -tes�� -test.paniconexit0 -test.v=true /opt/hostedtoolcache/node/24.14.0/x64/bin/node -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel node (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel sh /usr/bin/git npx prettier --wgit /usr/bin/git CgoFiles,CXXFile--show-toplevel git conf�� --get remote.origin.url clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle "prettier" --wrigit git 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel ache/node/24.14.--package-lock-only /usr/bin/git .actor }}, Unsafgit Test User /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/node/24.14.0/x64/bin/node /usr/bin/git github.event.issgit go /usr/bin/git git (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/gh-aw-test-runs/20260308-123836-29875/test-3662122424/.github/workflows config /tmp/go-build987585841/b409/parser.test remote.origin.urgit GO111MODULE 64/bin/go /tmp/go-build987585841/b409/parser.test -tes�� -test.paniconexit0 -test.v=true (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel sh /usr/bin/git npx prettier --wgit infocmp 64/bin/go git init�� runs/20260308-123947-41598/test-2832975793 sh ache/node/24.14.0/x64/bin/node s/test.md git 64/bin/go ache/node/24.14.0/x64/bin/node (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel mcP127y/_d9q6juyrev-parse /usr/bin/git git (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env r/test-repo/actions/secrets GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha /v2.0.0 GO111MODULE 0/x64/bin/node GOINSECURE GOMOD erignore ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet t-ha�� ithub/workflows/artifacts-summary.md GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel /bin/sh /usr/bin/git echo "�� JavaScgit git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git rev-parse /usr/bin/git git (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/head git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 0/x64/bin/npx GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go stlo�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE tions/setup/js/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� agent-performance-analyzer.md GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/node GOINSECURE GOMOD GOMODCACHE go 0/x6�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE n-dir/node GOINSECURE GOMOD GOMODCACHE go 0/x6�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go 0/x6�� -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 86_64/node GOINSECURE GOMOD GOMODCACHE go 0/x6�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path heck '**/*.cjs' GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha --show-toplevel node /usr/bin/git install --package-lock-o--norc /usr/bin/git git inPa�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 230538816/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ath ../../../.pr**/*.json git 64/bin/go --show-toplevel go /usr/bin/git go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE cal/bin/sh git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha e=false GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha prettier --write 64/bin/go !../../../pkg/wocp --ignore-path ../../../.prettipkg/workflow/data/action_pins.json go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha e=false GO111MODULE 64/bin/go GOINSECURE %H %ct %D d1af7b2ee67a5937GOPATH go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 71001/b392/_pkg_GOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/envu-atomic GOMODCACHE go env dTEj/_5zZ7ABo6YP-errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 71001/b392/imporrev-parse (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha 71001/b396/_pkg_GOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/logg-atomic GOMODCACHE go env bU3n/izawJjQt5gQ-errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 71001/b396/impor-tests (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha prettier --write modules/@npmcli/run-script/lib/node-gyp-bin/node !../../../pkg/wo/bin/sh --ignore-path ../../../.prettiecho "�� Action scripts synced successfully" go /pre�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 7KRlb0f/T36gUPQZXFjOiSQ6baL5 env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ath ../../../.pr**/*.json git 64/bin/go --show-toplevel go /usr/bin/git go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha uest|push_to_pull_request_branch)" go 64/bin/node -json GO111MODULE ache/go/1.25.0/x--show-toplevel git 0/x6�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -v go /usr/bin/git node /hom�� --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro-c /usr/bin/git /bin/sh (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go **/*.json --ignore-path ../../../.prettinpx prettier --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json node /hom�� --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro-c /usr/bin/git make (http block)
https://api.github.com/repos/owner/repo/contents/file.md
- Triggering command: /tmp/go-build987585841/b383/cli.test /tmp/go-build987585841/b383/cli.test -test.testlogfile=/tmp/go-build987585841/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE tcfg k/gh�� d/gh-aw/main.go d/gh-aw/capitaliGOMOD 64/bin/go GOINSECURE GOMOD erignore ache/go/1.25.0/xGO111MODULE (http block)
- Triggering command: /tmp/go-build792643895/b383/cli.test /tmp/go-build792643895/b383/cli.test -test.testlogfile=/tmp/go-build792643895/b383/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true pkg/workflow/enggo pkg/workflow/engenv pkg/workflow/eng-json node /opt�� prettier --write 64/bin/go --ignore-path .prettierignore --log-level=erro--check sh (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name npx prettier --wGOINSECURE gh 64/bin/go download 12346 /usr/bin/git node /hom�� --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro-c /usr/bin/git node (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

✨ PR Review Safe Output Test - Run 22823768132

💥 [THE END] — Illustrated by Smoke Claude · ◷

Changeset

Type: patch
Description: Pass host Git identity environment variables into AWF sandbox execution steps so sandbox commits keep the caller's author/committer info.

Generated by Changeset Generator for issue #20056 · ◷

Warning

⚠️ Firewall blocked 3 domains

The following domains were blocked by the firewall during workflow execution:

ab.chatgpt.com
codeload.github.com
github.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "codeload.github.com"
    - "github.com"

See Network Configuration for more information.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

github-actions · 2026-03-08T15:12:11Z

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

github-actions · 2026-03-08T15:12:14Z

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

github-actions · 2026-03-08T15:12:17Z

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

github-actions · 2026-03-08T15:12:17Z

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

github-actions · 2026-03-08T15:14:58Z

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	4.52.4
curl	✅	8.5.0
gh	✅	2.87.3
node	✅	20.20.0
python3	✅	3.12.3
go	✅	1.24.13
java	✅	21.0.10
dotnet	✅	10.0.102

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ◷

Copilot

Pull request overview

This PR fixes git commit author/committer identity failures when running execution steps inside the AWF sandbox by injecting GIT_AUTHOR_* / GIT_COMMITTER_* env vars into the sandboxed execution step environment.

Changes:

Added getGitIdentityEnvVars() helper returning the four git identity env vars matching the existing git config --global identity.
Updated Copilot/Claude/Codex/Gemini engines to include these env vars in execution step env: only when AWF firewall/sandbox mode is enabled (and before user-provided env overrides).
Added unit tests plus regenerated workflow golden/lock outputs to reflect the new env vars.

Reviewed changes

Copilot reviewed 175 out of 175 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/workflow/git_configuration_steps.go	Adds `getGitIdentityEnvVars()` helper to centralize the bot identity env vars.
pkg/workflow/copilot_engine_execution.go	Copies git identity env vars into execution env when AWF sandbox is enabled.
pkg/workflow/claude_engine.go	Copies git identity env vars into execution env when firewall (AWF) is enabled.
pkg/workflow/codex_engine.go	Copies git identity env vars into execution env when firewall (AWF) is enabled.
pkg/workflow/gemini_engine.go	Copies git identity env vars into execution env when firewall (AWF) is enabled.
pkg/workflow/git_identity_env_test.go	Adds tests validating env var presence/absence across engines depending on sandbox mode.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/basic-copilot.golden	Updates golden output to include injected git identity env vars.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden	Updates golden output to include injected git identity env vars.
pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/with-imports.golden	Updates golden output to include injected git identity env vars.
.github/workflows/workflow-skill-extractor.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/workflow-normalizer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/workflow-health-manager.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/workflow-generator.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/weekly-issue-summary.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/weekly-editors-health-check.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/video-analyzer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/unbloat-docs.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/ubuntu-image-analyzer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/typist.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/tidy.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/test-workflow.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/test-project-url-default.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/test-dispatcher.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/test-create-pr-error-handling.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/terminal-stylist.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/technical-doc-writer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/super-linter.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/sub-issue-closer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/step-name-alignment.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/static-analysis-report.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/stale-repo-identifier.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-workflow-call.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-update-cross-repo-pr.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-test-tools.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-temporary-id.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-project.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-multi-pr.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-gemini.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-create-cross-repo-pr.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-copilot.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-copilot-arm.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-codex.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-claude.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/smoke-agent.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/slide-deck-maintainer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/sergo.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/semantic-function-refactor.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/security-review.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/security-compliance.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/security-alert-burndown.campaign.g.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/scout.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/schema-consistency-checker.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/safe-output-health.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/research.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/repository-quality-improver.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/repo-tree-map.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/repo-audit-analyzer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/release.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/refiner.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/q.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/python-data-charts.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/prompt-clustering-analysis.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/pr-triage-agent.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/pr-nitpick-reviewer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/portfolio-analyst.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/poem-bot.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/plan.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/pdf-summary.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/org-health-report.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/notion-issue-summary.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/metrics-collector.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/mergefest.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/mcp-inspector.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/lockfile-stats.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/layout-spec-maintainer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/jsweep.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/issue-triage-agent.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/issue-monster.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/issue-arborist.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/instructions-janitor.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/hourly-ci-cleaner.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/grumpy-reviewer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/gpclean.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/go-pattern-detector.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/go-logger.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/go-fan.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/glossary-maintainer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/github-mcp-tools-report.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/github-mcp-structural-analysis.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/functional-pragmatist.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/firewall.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/firewall-escape.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/example-workflow-analyzer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/example-permissions-warning.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/duplicate-code-detector.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/draft-pr-cleanup.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/docs-noob-tester.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/discussion-task-miner.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/dictation-prompt.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/developer-docs-consolidator.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/dev.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/dev-hawk.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/dependabot-go-checker.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/dependabot-burner.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/delight.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/deep-report.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/dead-code-remover.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-workflow-updater.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-testify-uber-super-expert.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-team-status.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-team-evolution-insights.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-syntax-error-quality.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-semgrep-scan.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-security-red-team.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-secrets-analysis.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-safe-outputs-conformance.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-safe-output-optimizer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-repo-chronicle.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-rendering-scripts-verifier.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-regulatory.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-performance-summary.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-observability-report.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-news.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-multi-device-docs-tester.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-issues-report.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-firewall-report.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-file-diet.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-fact.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-doc-updater.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-doc-healer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-copilot-token-report.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-compiler-quality.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-code-metrics.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-cli-tools-tester.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-cli-performance.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-choice-test.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-assign-issue-to-user.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/daily-architecture-diagram.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/craft.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/copilot-session-insights.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/copilot-pr-prompt-analysis.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/copilot-pr-nlp-analysis.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/copilot-pr-merged-report.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/copilot-cli-deep-research.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/copilot-agent-analysis.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/contribution-check.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/constraint-solving-potd.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/commit-changes-analyzer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/code-simplifier.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/code-scanning-fixer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/cloclo.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/cli-version-checker.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/cli-consistency-checker.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/claude-code-user-docs-review.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/ci-doctor.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/ci-coach.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/chroma-issue-indexer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/changeset.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/breaking-change-checker.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/brave.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/bot-detection.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/blog-auditor.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/auto-triage-issues.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/audit-workflows.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/artifacts-summary.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/archie.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/ai-moderator.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/agent-persona-explorer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/agent-performance-analyzer.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.
.github/workflows/ace-editor.lock.yml	Regenerated lockfile to include injected git identity env vars in compiled workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Copilot · 2026-03-08T15:16:45Z

pkg/workflow/git_identity_env_test.go

+		for _, key := range gitIdentityKeys {
+			if !strings.Contains(stepContent, key+": github-actions") {
+				t.Errorf("expected %s in sandbox execution step, but not found:\n%s", key, stepContent)
+			}


The sandbox-mode assertions only check for the substring key+": github-actions", which would still pass if the value regresses (e.g., wrong email domain or missing [bot]). Consider asserting the full expected KEY: VALUE pairs (or iterating over the expected map from TestGetGitIdentityEnvVars and checking those exact lines) to make the tests catch value changes, not just presence.

github-actions · 2026-03-08T15:20:31Z

Smoke Test Run 22823768132 — PARTIAL

Core tests: ✅✅⚠️✅✅✅✅✅✅✅
PR review tests: ✅✅✅⚠️✅✅⚠️

Test 3 (Serena): activated OK, symbol search returned < 3 results / EOF errors.
Tests 14 & 17: skipped (no threads / no safe test PR).

💥 [THE END] — Illustrated by Smoke Claude · ◷

github-actions

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-03-08T15:20:33Z

.github/workflows/ace-editor.lock.yml

          GITHUB_SERVER_URL: ${{ github.server_url }}
          GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
          GITHUB_WORKSPACE: ${{ github.workspace }}
+          GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com


Good addition of GIT_AUTHOR_EMAIL env var to ensure proper git identity in sandbox execution steps. This is consistent with the fix described in the PR.

github-actions · 2026-03-08T15:20:33Z

.github/workflows/agent-performance-analyzer.lock.yml

          GITHUB_SERVER_URL: ${{ github.server_url }}
          GITHUB_STEP_SUMMARY: /tmp/gh-aw/agent-step-summary.md
          GITHUB_WORKSPACE: ${{ github.workspace }}
+          GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com


Same pattern applied consistently across all workflow files. Setting both GIT_AUTHOR_* and GIT_COMMITTER_* ensures commits made by the agent have proper attribution.

github-actions · 2026-03-08T15:22:31Z

Smoke test results for @pelikhan's PR:

Test	Status
GitHub MCP	✅
Safe Inputs GH CLI	✅
Serena MCP	❌
Playwright	✅
Web Fetch	✅
File Writing	✅
Bash Tool	✅
Discussion Interaction	✅
Build gh-aw	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅

Overall: ⚠️ PARTIAL PASS (Serena MCP unavailable)

📰 BREAKING: Report filed by Smoke Copilot · ◷

github-actions

PR #20056 injects GIT_AUTHOR_* / GIT_COMMITTER_* env vars into AWF sandbox execution steps, fixing the "Author identity unknown" git commit failure. The approach is clean — env vars take precedence over gitconfig and are forwarded by --env-all. Tests are comprehensive. LGTM 🚀

📰 BREAKING: Report filed by Smoke Copilot

github-actions · 2026-03-08T15:22:33Z

pkg/workflow/git_configuration_steps.go

+// into the container by AWF via --env-all, ensuring the first git commit succeeds
+// without the agent needing to self-configure.
+func getGitIdentityEnvVars() map[string]string {
+	return map[string]string{


Nice fix! The hardcoded github-actions[bot] identity is consistent with the generateGitConfigurationSteps values. Worth noting that if a workflow overrides the git identity (e.g. custom actor name), these env vars will still shadow that config inside the sandbox container — could be worth a comment clarifying this is intentional default behavior.

github-actions · 2026-03-08T15:22:33Z

pkg/workflow/git_configuration_steps.go

+// without the agent needing to self-configure.
+func getGitIdentityEnvVars() map[string]string {
+	return map[string]string{
+		"GIT_AUTHOR_NAME":     "github-actions[bot]",


The comment on line 55 explains --env-all forwarding clearly. Consider also noting that GIT_AUTHOR_* and GIT_COMMITTER_* have distinct semantics (author = who wrote the change, committer = who applied it) — in this case they're identical, which is typical for automated commits.

github-actions · 2026-03-08T15:22:57Z

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

github-actions · 2026-03-08T15:23:09Z

Commit pushed: 0d3f97a

Generated by Changeset Generator

Initial plan

8e78d5b

Copilot AI assigned Copilot and pelikhan Mar 8, 2026

Copilot started work on behalf of pelikhan March 8, 2026 12:28 View session

Copilot AI linked an issue Mar 8, 2026 that may be closed by this pull request

Agent sandbox git identity missing: first commit fails, then agent self-configures #20033

Closed

Fix: Add git identity env vars to AWF sandbox execution steps (#issue)

463b654

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Fix missing git identity for sandboxed agent first commit~~ Fix: Inject git identity env vars into AWF sandbox execution steps Mar 8, 2026

Copilot finished work on behalf of pelikhan March 8, 2026 12:51

github-actions bot mentioned this pull request Mar 8, 2026

Smoke Test: Copilot - 22821713973 #20066

Closed

pelikhan added the smoke label Mar 8, 2026

pelikhan marked this pull request as ready for review March 8, 2026 15:11

Copilot AI review requested due to automatic review settings March 8, 2026 15:11

Copilot started reviewing on behalf of pelikhan March 8, 2026 15:12 View session

Copilot AI reviewed Mar 8, 2026

View reviewed changes

github-actions bot mentioned this pull request Mar 8, 2026

Smoke Test: Claude - 22823768132 #20075

Closed

github-actions bot reviewed Mar 8, 2026

View reviewed changes

github-actions bot mentioned this pull request Mar 8, 2026

Smoke Test: Copilot - 22823768153 #20077

Closed

github-actions bot removed the smoke label Mar 8, 2026

github-actions bot reviewed Mar 8, 2026

View reviewed changes

Add changeset [skip-ci]

0d3f97a

pelikhan merged commit fd283fd into main Mar 8, 2026

pelikhan deleted the copilot/fix-git-identity-in-sandbox branch March 8, 2026 15:23

Conversation

Copilot AI commented Mar 8, 2026 • edited by github-actions bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Root cause

Changes

I tried to connect to the following addresses, but was blocked by firewall rules:

Changeset

Uh oh!

github-actions bot commented Mar 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Mar 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Mar 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Mar 8, 2026

Uh oh!

github-actions bot commented Mar 8, 2026

Agent Container Tool Check

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Mar 8, 2026

Uh oh!

github-actions bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot Mar 8, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot Mar 8, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Mar 8, 2026

Uh oh!

github-actions bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot Mar 8, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot Mar 8, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Mar 8, 2026

Uh oh!

github-actions bot commented Mar 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Mar 8, 2026 •

edited by github-actions bot

Loading

github-actions bot commented Mar 8, 2026 •

edited

Loading

github-actions bot commented Mar 8, 2026 •

edited

Loading

github-actions bot commented Mar 8, 2026 •

edited

Loading