Skip to content

fix: checkout dev mode actions to /tmp/gh-aw/dev-actions (outside workspace) to prevent override#23408

Closed
Copilot wants to merge 2 commits intomainfrom
copilot/update-compiler-safe-checkout
Closed

fix: checkout dev mode actions to /tmp/gh-aw/dev-actions (outside workspace) to prevent override#23408
Copilot wants to merge 2 commits intomainfrom
copilot/update-compiler-safe-checkout

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 29, 2026
edited
Loading

In dev mode, github/gh-aw was checked out to the workspace root. Any subsequent checkout to the workspace root (e.g. checking out a target repo or PR branch) would overwrite actions/setup, causing the runner post-job cleanup to fail: Can't find 'action.yml' under '.../actions/setup'.

Changes

  • compiler_yaml_helpers.go: Added devModeActionsCheckoutPath = "/tmp/gh-aw/dev-actions" constant; dev mode checkout now targets this absolute path outside $GITHUB_WORKSPACE, so the files are never inside the caller's git repository and cannot be accidentally committed
  • compiler_yaml_helpers.go: generateSetupStep now runs setup.sh via bash in dev mode (same pattern as script mode), removing the need for a workspace-relative uses: reference entirely
  • action_reference.go: Dev mode reverted to return the original local path placeholder since uses: is no longer involved for the setup action in dev mode
  • repo_memory.go: Removed the "Restore actions folder" step — it existed to keep action.yml findable for the post-job hook, which is no longer needed since dev mode uses bash execution instead of a uses: action
  • maintenance_workflow.go: Dev mode setup updated to use bash execution matching the new approach
  • Lock files: All 178 .lock.yml files recompiled; wasm golden files updated

Before:

- name: Checkout actions folder
  uses: actions/checkout@...
  with:
    repository: github/gh-aw
    sparse-checkout: |
      actions
    persist-credentials: false
- name: Setup Scripts
  uses: ./actions/setup

After:

- name: Checkout actions folder
  uses: actions/checkout@...
  with:
    repository: github/gh-aw
    sparse-checkout: |
      actions
    path: /tmp/gh-aw/dev-actions
    persist-credentials: false
- name: Setup Scripts
  run: bash /tmp/gh-aw/dev-actions/actions/setup/setup.sh
  env:
    INPUT_DESTINATION: ${{ runner.temp }}/gh-aw/actions

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@pelikhan
fix: checkout dev mode actions to safe _gh-aw subdirectory to prevent…
ace47a0 
… override

In dev mode, the compiler now checks out github/gh-aw to a dedicated
`_gh-aw` subdirectory (instead of the workspace root) via `path: _gh-aw`.
This prevents subsequent checkouts to the workspace root from overwriting
the actions/ directory, which caused the post-job cleanup to fail with:
  "Can't find 'action.yml' under '.../actions/setup'"

All local action references in dev mode now use the safe checkout path
prefix (e.g., `./_gh-aw/actions/setup` instead of `./actions/setup`).

The repo_memory restore step and maintenance workflow are updated
consistently. All 178 lock.yml files recompiled, golden files updated.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/04e68266-33c9-4510-b995-a58c9b23019e

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Mar 29, 2026

@copilot pick a folder outside the checkout to avoid commiting the files

@github-actions github-actions bot mentioned this pull request Mar 29, 2026
Closed
@pelikhan
fix: checkout dev mode actions to /tmp/gh-aw/dev-actions (outside wor…
b2a4a2f 
…kspace)

Move the dev mode actions checkout from `_gh-aw` (inside workspace) to
`/tmp/gh-aw/dev-actions` (outside workspace) so the files are never
inside the caller's git repository and cannot be accidentally committed.

The setup action is now invoked via bash script (same pattern as script
mode) rather than `uses:`, which requires no workspace-relative path:
  - Before: `uses: ./_gh-aw/actions/setup`
  - After:  `bash /tmp/gh-aw/dev-actions/actions/setup/setup.sh`

The "Restore actions folder" step in repo_memory is removed since there
is no longer a `uses:` post-job hook that needs to find action.yml.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4ab345f8-9077-4954-b850-287f8b09ffca

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Mar 29, 2026
edited
Loading

@copilot pick a folder outside the checkout to avoid commiting the files

Done in b2a4a2f. The checkout now targets /tmp/gh-aw/dev-actions (outside $GITHUB_WORKSPACE), so the files are never inside the caller's git repository.

Since uses: requires a workspace-relative path, the setup step in dev mode now runs the shell script directly — the same pattern already used by script mode:

- name: Checkout actions folder
  uses: actions/checkout@...
  with:
    repository: github/gh-aw
    path: /tmp/gh-aw/dev-actions   # ← outside workspace
- name: Setup Scripts
  run: bash /tmp/gh-aw/dev-actions/actions/setup/setup.sh

The "Restore actions folder" step in the repo-memory job was also removed since there's no longer a uses: post-job hook that needs to locate action.yml.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw JhzXmp_Sgj_4 (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ota=5% yHigh=170M x_amd64/vet conf�� -2.15.1.3-py3.12.egg credential.username x_amd64/vet (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha graphql -f /usr/bin/infocmp -f owner=github -f infocmp -1 xterm-color x_amd64/vet /opt/hostedtoolcache/node/24.14.0/x64/bin/bash --local user.name -d bash (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha k/gh-aw/gh-aw/.github/workflows -buildtags 64/bin/bash l -ifaceassert ed } } /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link -o k/gh-aw/gh-aw/.github/workflows -importcfg /usr/libexec/docker/cli-plugins/docker-compose l -w ed } } /usr/libexec/docker/cli-plugins/docker-compose (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --noprofile .cfg 64/pkg/tool/linux_amd64/vet INVALID,NEW -j DROP 64/pkg/tool/linurev-parse --no�� --noprofile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha xterm-color x_amd64/vet /usr/bin/git --local commit.gpgsign 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linu-f /usr/bin/git -t .cfg r: $owner, name:--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linuconfig /usr/bin/git ithub/workflows 1774284/b214/vetrev-parse ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linuconfig /usr/bin/git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha k/gh-aw/gh-aw/.github/workflows config /usr/bin/gh remote.origin.urgit --local x_amd64/vet /usr/bin/gh api graphql -f /usr/bin/git -f owner=github -f git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha k/gh-aw/gh-aw/.github/workflows -f /usr/bin/git -f owner=github -f git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/infocmp remote.origin.urgit --local x_amd64/vet infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 1774284/b057/vetrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linurev-parse /usr/bin/git se 1774284/b225/vetrev-parse ache/go/1.25.0/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha k/gh-aw/gh-aw/.github/workflows git /usr/bin/infocmp l --global $name) { has--show-toplevel infocmp -1 xterm-color x_amd64/vet /usr/bin/gh get --local x_amd64/vet /usr/bin/gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha xterm-color git /usr/bin/git --get-regexp --local x_amd64/vet git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git get --local $name) { has--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha k/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git --get-regexp --local x_amd64/vet git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config /usr/bin/git remote.origin.urgit --local x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows erena-mcp-server:latest /usr/bin/gh remote.origin.urgit --local x_amd64/vet /usr/bin/gh api graphql -f /usr/bin/docker -f owner=github -f docker (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows git /usr/bin/git get /deps.go $name) { has--show-toplevel git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git linuxagent-logcogit --local $name) { has--show-toplevel git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -bool -buildtags (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --local user.name x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha xterm-color git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha ithub/workflows /tmp/go-build2921774284/b064/vet.cfg (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha scripts synced successfully&#34; /tmp/go-build2921774284/b092/vet.cfg me: String!) { repository(owner: $owner, name:-f (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linuconfig /usr/bin/git copilot/update-cgit .cfg $name) { has--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linuconfig /usr/bin/git --noprofile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha g_.a (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --local --get $name) { hasDiscussionsEnabled } } (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha HEAD .cfg 64/pkg/tool/linux_amd64/vet (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title fix: checkout dev mode actions to safe _gh-aw subdirectory to prevent override fix: checkout dev mode actions to /tmp/gh-aw/dev-actions (outside workspace) to prevent override Mar 29, 2026
Copilot AI requested a review from pelikhan March 29, 2026 02:13
@github-actions github-actions bot mentioned this pull request Mar 29, 2026
Closed
@pelikhan pelikhan added the smoke label Mar 29, 2026
@pelikhan pelikhan closed this Mar 29, 2026
@github-actions github-actions bot deleted the copilot/update-compiler-safe-checkout branch April 5, 2026 02:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

1 more reviewer

@IAMJehovah1 IAMJehovah1 IAMJehovah1 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

smoke

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan @IAMJehovah1