Scope activation-job permissions to actual trigger events and add status-comment discussions/issues/pull-requests toggles

[Copilot]

gh aw compile was over-granting activation permissions (discussions: write, pull-requests: write) for workflows that only operate on issues. This changes activation permission derivation to be event-aware so compiled lock files request only the scopes required by configured triggers.

• Permission scoping in activation compiler

  • Replaced broad reaction/status-comment permission grants with event-scoped grants derived from parsed on event keys.
  • Applied the same scoping logic to both:
    • activation job permissions block, and
    • activation GitHub App token minting permissions.
  • Added safe fallback behavior: when on parsing is invalid/missing/unsupported, activation permissions fall back to broad interaction scopes (matching prior behavior) to avoid under-scoped runtime tokens.
  • Tightened fallback least-privilege behavior so pull-requests: write is no longer granted for status-comments-only flows (it is still granted for reactions that need it).

• Event parsing and filtering hardening

  • Added structured extraction of trigger events from on YAML instead of relying on loose substring matching.
  • Centralized filtering of activation metadata keys (reaction, status-comment, command, etc.) from real event keys.
  • Added debug logging for malformed on parsing and explicit logging when synthetic empty-on fallback is used.

• New frontmatter options: selectively disable status-comment targets

  • Added support for object-form on.status-comment:

    on:
      status-comment:
        issues: false
        pull-requests: false
        discussions: false

  • Object form implies status comments are enabled and supports independent target toggles:
    • issues (optional, default true) controls issues and issue_comment status comments.
    • pull-requests (optional, default true) controls pull_request and pull_request_review_comment status comments.
    • discussions (optional, default true) controls discussion and discussion_comment status comments.
  • discussions: false keeps status comments enabled for issue/PR-related events while excluding discussion and discussion_comment.
  • issues: false keeps status comments enabled for pull-request/discussion-related events while excluding issue events.
  • pull-requests: false keeps status comments enabled for issue/discussion-related events while excluding pull request events.
  • Activation status-comment step conditions now honor all three options.
  • Activation permission and app-token scope computation now also honor all three options (avoids granting write scopes for disabled target groups).
  • Added validation for object-form configuration: if issues, pull-requests, and discussions are all false, compilation fails with an actionable error instead of silently generating a never-running status-comment condition.

• Schema updates

  • Updated main_workflow_schema.json so status-comment supports both:
    • boolean (existing behavior), and
    • object with optional issues, pull-requests, and discussions fields (no enabled field).

• Regression coverage updates

  • Added focused tests for:
    • issue-only + reaction/status-comment → only issues: write
    • pull_request_review_comment + reaction-only → pull-requests: write only
    • status-comment.discussions: false → no discussion status-comment condition and no discussions: write
    • status-comment.issues: false → no issue status-comment condition and no issue-derived write scope from status comments
    • status-comment.pull-requests: false → no pull-request status-comment condition
    • invalid/missing on parsing fallback → broad interaction permissions are applied with target-toggle awareness.
    • invalid status-comment object where all targets are disabled → compilation error.
  • Updated existing activation permission expectation tests to match least-privilege behavior.

// Reactions on issues, issue comments, and pull requests all use issues endpoints.
if hasIssuesEvent || hasIssueCommentEvent || hasPullRequestEvent {
	permsMap[PermissionIssues] = PermissionWrite
}

// Reactions on PR review comments use pull request review comment endpoints.
if hasPullRequestReviewCommentEvent {
	permsMap[PermissionPullRequests] = PermissionWrite
}

// Status comments on discussions are controlled by frontmatter toggle.
if statusCommentIncludesDiscussions && (hasDiscussionEvent || hasDiscussionCommentEvent) {
	permsMap[PermissionDiscussions] = PermissionWrite
}

> [!WARNING]
>

[github-actions]

Hey @Copilot 👋 — great start on scoping activation-job permissions to the actual trigger events! Fixing over-broad permission grants (e.g. discussions: write appearing on issue-only workflows) is a meaningful quality-of-life improvement for users of the compiler.

A few things to wrap up before this is ready for review:

• Implementation is still pending — the core compiler change (scoping reaction/status-comment permissions to enabled trigger events) is not yet committed. The diff is currently empty.
• Tests are missing — the checklist calls out adding/adjusting focused tests to verify issue-only workflows don't request discussions: write or pull-requests: write. These should land in the same commit as the fix.
• Draft status — once the checklist is fully checked off and make agent-finish has been run, remember to mark the PR as ready for review.

If you'd like a prompt to continue, here's one you can use:

Continue implementing PR #26535 — Fix compiled lock file to request appropriate permissions.
1. Implement the compiler change to scope reaction/status-comment permissions to enabled trigger events.
2. Add or update focused tests verifying that issue-only workflows don't request discussions: write or pull-requests: write.
3. Run `make agent-finish` and resolve any findings.
4. Commit and push the changes to the branch.
5. Mark the PR as ready for review once all checks pass.

Generated by Contribution Check · ● 1.5M · ◷

[Copilot]

Pull request overview

Updates activation-job permission derivation to be trigger-event-aware so issue-only workflows don’t request unnecessary scopes (least privilege), and adds regression coverage to validate the new behavior.

Changes:

• Scoped activation interaction permissions (reaction/status-comment) based on parsed on event keys rather than broad grants.
• Added structured extraction of trigger event names from on YAML (with filtering of activation metadata keys).
• Updated/added tests to validate least-privilege permissions for issue-only and PR-review-comment workflows.

Show a summary per file

File	Description
pkg/workflow/compiler_activation_job.go	Adds event-aware permission derivation for activation interactions, and introduces on YAML parsing helpers to scope permissions.
pkg/workflow/task_and_reaction_permissions_test.go	Updates assertions to ensure issue-only triggers do not grant pull-requests: write / discussions: write.
pkg/workflow/activation_permissions_scope_test.go	Adds focused regression tests for issue-only and PR review comment activation permission scoping.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 1

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	3
✅ Design tests (behavioral contracts)	3 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	3 (100%)
Duplicate test clusters	0
Test inflation detected	No
🚨 Coding-guideline violations	None

---

Test Classification Details

View All Test Classifications (3 tests)

Test	File	Classification	Issues Detected
TestActivationPermissionsIssueOnlyReactionAndStatusComment	pkg/workflow/activation_permissions_scope_test.go:17	✅ Design	None
TestActivationPermissionsPRReviewReactionOnly	pkg/workflow/activation_permissions_scope_test.go:50	✅ Design	None
task_and_reaction_permissions_test.go — Test 5 (modified)	pkg/workflow/task_and_reaction_permissions_test.go:98	✅ Design	None

---

Test Highlights

TestActivationPermissionsIssueOnlyReactionAndStatusComment compiles a real workflow with an issues-only trigger and asserts on the generated lock file: issues: write is present, pull-requests: write and discussions: write are absent. This is a tight behavioral contract test for the least-privilege scoping feature — if the compiler ever regresses to adding broad permissions, this test will catch it.

TestActivationPermissionsPRReviewReactionOnly mirrors the above for a pull_request_review_comment trigger, asserting the inverse permissions. Together, the two tests pin the scoping logic to specific trigger types and would catch permission drift in either direction.

task_and_reaction_permissions_test.go update correctly updates the existing permission contract assertions to reflect the new least-privilege behavior — inverting two !strings.Contains checks to positive strings.Contains checks for the "should NOT have" permissions. The update is tight and precise.

All three tests:

• Use the real compiler (NewCompiler().CompileWorkflow(...)) with no mocks
• Assert on the observable output (generated lock file YAML)
• Carry descriptive assertion messages
• Have the required //go:build !integration build tag

Test inflation check: 79 new test lines vs 140 changed production lines → 0.56:1 ratio (well under 2:1 threshold ✅)

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 3 tests — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). No coding-guideline violations detected.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24488869997

🧪 Test quality analysis by Test Quality Sentinel · ● 639.2K · ◷

[github-actions]

✅ Test Quality Sentinel: 100/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 3 new/modified tests verify behavioral contracts on real compiler output with no mocks.

[github-actions]

Commit pushed: 9e43ab6

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (205 new lines in pkg/workflow/) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/26535-event-scoped-activation-permission-derivation.md

What the draft covers

The generated ADR captures:

• Context: The compiler was over-granting discussions: write and pull-requests: write for workflows that only trigger on issues events, violating least privilege.
• Decision: Derive activation permissions at compile time by parsing the on: section, filtering out gh-aw metadata trigger fields, and granting only the write scopes required by the real GitHub event types configured.
• Alternatives considered: Retaining broad grants, requiring explicit permission declarations in workflow frontmatter, runtime permission escalation.
• Consequences: Positive (least-privilege lock files, centralized logic, explicit metadata allowlist) and negative (new YAML parse failure mode, test fallback masking).

What to do next

1. Review the draft ADR committed to your branch at docs/adr/26535-event-scoped-activation-permission-derivation.md
2. Complete the missing sections — verify the alternatives reflect what was actually considered, refine the decision rationale, and adjust the normative requirements as needed
3. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-26535: Event-Scoped Activation Permission Derivation

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 26535-event-scoped-...md for PR #26535).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §24488870005

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• Scope activation-job permissions to actual trigger events and add status-comment discussions/issues/pull-requests toggles #26535 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 155.9K · ◷

[pelikhan]

@copilot add frontmatter option to disable discussions for status-comments.

[Copilot]

Implemented in 6bc10d9 (with follow-up test tightening in 9b9fe1a). You can now disable discussion status-comments via frontmatter:

on:
  status-comment:
    enabled: true
    discussions: false

This updates activation status-comment conditions and activation permissions/app-token scopes accordingly.

[pelikhan]

@copilot review all comments

[pelikhan]

@copilot add status-comment.issues: Boolean to also selectively disable issue write support. Recompile lock files.

[Copilot]

@copilot remove field status-comment.enabled as it is implied.

Done in 470d515. status-comment.enabled has been removed from object form; object form now implies enabled and supports only optional discussions (e.g. status-comment: { discussions: false }).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --write ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm /usr/bin/git -unreachable=falgit /tmp/go-build806rev-parse 626300/b279/vet.--show-toplevel git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: `/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name on' --ignore-path ../../../.pret.prettierignore t enabled field

Agent-Logs-Url:--log-level=error bin/git` (http block)

• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linu-trimpath /usr/bin/git te '**/*.cjs' '*git cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git 320386683/.githugit cfg 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlyCompiledOutput1140871677/001 rev-parse /usr/bin/git th .prettierignogit (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv se 626300/b073/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/git -t on 64/pkg/tool/linu--show-toplevel git rev-�� it/ref/tags/v4 64/pkg/tool/linux_amd64/compile sv 20/001/test-frongit 626300/b054/vet.rev-parse cfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuupstream /usr/bin/git licyTrustedUsersgit -buildtags cfg git rev-�� --show-toplevel /tmp/go-build402393411/b070/gh-aw.test /usr/bin/git -test.paniconexigit -test.v=true ache/go/1.25.8/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuremote /usr/bin/git rdian.md DefaultBranchFrocommit cfg git rev-�� --show-toplevel ache/go/1.25.8/x3 /usr/bin/git Onlymin-integritgit (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv ons-issue^{commit} (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv ./../pkg/workflo-errorsas (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv flib/difflib.go --global x_amd64/compile http.https://gitgit (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv remove om/owner/repo.git /usr/bin/git *.json' '!../../git commit.gpgsign x_amd64/link git rev-�� --show-toplevel x_amd64/link /opt/hostedtoolcache/node/24.14.1/x64/bin/node /js && npm run fgit cfg 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv = get && echo "******"; }; f get = get && echo "******"; }; f get /usr/bin/git adata/main.go commit.gpgsign x_amd64/compile git conf�� user.email test@example.com /usr/bin/git e formatted" cfg 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv sistency_GoAndJavaScript2940834620/001/test-frontmatter-with-env-s -trimpath /usr/bin/infocmp -p main -lang=go1.25 393411/b427/importcfg -1 k/gh-aw/gh-aw/pkg/parser/import_conflict_test.go k/gh-aw/gh-aw/pkg/parser/import_cycle_test.go /usr/bin/infocmp go1.25.8 -c=4 -nolocalimports infocmp (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git 736286/001 gpg.program x_amd64/vet git rev-�� --git-dir x_amd64/vet /usr/bin/git HEAD cfg x_amd64/compile git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 393411/b440/_pkg_.a show 393411/b440=> ons-issue^{commigit b/gh-aw/pkg/strirev-parse _modules/.bin/no--show-toplevel git -C ons-test51924073 config /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-nilfunc remote.origin.urgit (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-add-gitattributes-test2181626317/.github/workflows config /usr/bin/git remote.origin.urgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name -v ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 chore: restore lock files after progress update -ifaceassert 64/pkg/tool/linux_amd64/vet rkflow/js/**/*.jgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name t_schema_test.go 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 -v n-dir/bash (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 -v cfg (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name cfg cfg (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 chore: restore lock files after progress update -ifaceassert ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet rkflow/js/**/*.jgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name om/aymanbagabas/go-udiff@v0.4.1/export.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name cfg cfg (http block)
  • Triggering command: `/usr/bin/gh gh run download 4 --dir test-logs/run-4 chore: restore lock files after progress update

Agent-Logs-Url: REDACTED 64/pkg/tool/linux_amd64/vet` (http block)

• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name cfg ndor/bin/bash (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 chore: restore l-nolocalimports 64/pkg/tool/linu-importcfg (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path 020568156/001' 020568156/001' -importcfg /tmp/go-build402393411/b414/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go conf�� ./../pkg/workflo-errorsas pported.go x_amd64/compile http.https://git/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git _.a (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows o 64/pkg/tool/linux_amd64/compile /../../.prettiergit erignore --property=Memor--get 64/pkg/tool/linuremote.origin.url (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv get --local x_amd64/vet credential.helpegit ase,codename,alladd (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv get --local x_amd64/vet credential.usern/usr/lib/git-core/git d7-b4fc-420a-989maintenance (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv get ilation-permissi-test.run=^Test x_amd64/vet user.name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv get ilation-permissions-issue x_amd64/vet user.name (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv get --local x_amd64/vet credential.usern/usr/lib/git-core/git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv e-analyzer.md on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettiergit erignore --property=Memor--show-toplevel ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo rgo/bin/git (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo p/bin/git (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build402393411/b400/cli.test /tmp/go-build402393411/b400/cli.test -test.testlogfile=/tmp/go-build402393411/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true ame (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: `/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name on' --ignore-path ../../../.prettierignore t enabled field

Agent-Logs-Url: REDACTED de/node/bin/git` (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

@copilot add status-comment.issues: Boolean to also selectively disable issue write support. Recompile lock files.

Implemented in 2a9b73f (feature in 1a9ecde). Added on.status-comment.issues (boolean, default true) to selectively disable issue-write status comments, updated activation condition/permission scoping and fallback behavior, and updated schema/tests. Recompile was run (make recompile), but it still reports a pre-existing repo compile failure (stale-repo-identifier.md) while compiling 190/191 workflows. No UI changes to screenshot (CLI/schema-only change).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 7231a2f (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ase,codename,all-C (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/architecture-guardian.md 64/pkg/tool/linuorigin /usr/bin/gh g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts /usr/bin/git .artifacts[].namgit lYICvwSZY 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/infocmp (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 1/001/test-frontmatter-with-arra-test.timeout=10m0s GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE 0410715/b012/ GOMODCACHE ache/go/1.25.8/x12346 ortc�� 01/main.md rg/x/text@v0.36.0/internal/internal.go .cfg GOINSECURE fips140/aes/gcm ache/go/1.25.8/x--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git b/workflows B-Au8vNkW x_amd64/link git rev-�� it/ref/tags/v4 x_amd64/link sv util.test eJpt1zLU2 ortcfg.link git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x-test.v=true /usr/bin/git licyBlockedUsersgit -trimpath /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool 9383016/b432/_terev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm /usr/bin/git boring/sig om/goccy/go-yamlcommit ache/go/1.25.8/x-m git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linustatus /usr/bin/git 3351-35396/test-git GO111MODULE 0410715/b103=> git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -goversion go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build1340410715/b225/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json .go 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE AymyOsA/0ubdVXTnworkflow GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv om/owner/repo.git x_amd64/compile /usr/bin/git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md x_amd64/compile /usr/bin/git rity1392969214/0git om/owner/repo.girev-parse lone-1488985436 git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 9383016/b438/stats.test -importcfg ache/node/24.14.1/x64/bin/node -s -w -buildmode=exe qOvIDe5uaqfMA/Ftgp5jSlGySoaJuSny7r/w3dYQ-INIY6ZW--json t-89�� bility_SameInputSameOutput605500349/001/stabilit--workflow -q ache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv on' --ignore-path ../../../.prettierignore ons-issue (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv on' --ignore-path ../../../.pret.prettierignore ons-issue de/node/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv /workflows/smoke-test-tools.lock.yml git 1/x64/bin/git --show-toplevel /opt/hostedtoolcinstall-gh-aw.sh /usr/bin/git git rev-�� js/**/*.json' --ignore-path ../../../.prettierignore git cal/bin/git --show-toplevel git /usr/bin/git bash (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv GOMODCACHE x_amd64/compile /usr/bin/git lic_3238629098/0git GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -buildid zlLpwqk7lm3kTMme1tRE/zlLpwqk7lm3kTMme1tRE /usr/bin/infocmp -goversion go1.25.8 -c=4 infocmp -1 xterm-color -pack /usr/bin/gh -json GO111MODULE 64/bin/go gh (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel -dwarf=false /usr/bin/git go1.25.8 -c=4 -nolocalimports /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ 9383016/b437/vet.cfg -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name 4LOc7tzcC 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 1057086072 PcfUGjA_S ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 AmvwaUv3n ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env til.go til_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name lYICvwSZY 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a bbyq8rTOi ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE til GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 0/internal/catmsg/catmsg.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env g_.a QuPWq4ACQ x_amd64/compile GOINSECURE r GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name l.go 64/pkg/tool/linux_amd64/compile GOINSECURE .o 64/src/internal/--show-toplevel 64/pkg/tool/linux_amd64/compile env g_.a DfcRFzBGz x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 0/internal/internal.go 64/pkg/tool/linux_amd64/compile GOINSECURE al_wasm.o 64/src/internal/--show-toplevel 64/pkg/tool/linux_amd64/compile env 3771465448 64jHUho52 ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE g GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name CY7t-lTSd 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build1009383016/b450/_testmain.go env 1057086072 bBouUBHdz ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-goversion (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 V0s1bKvb3 ache/go/1.25.8/x64/bin/go GOINSECURE util GOMODCACHE go env q8IEgA2hZ GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name 2C7db5rpj 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 1057086072 YfB4YDUdE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 NgK5Xenpy ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 314184780 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE GOMOD abis ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name glpNKSOQr 64/pkg/tool/linux_amd64/compile GOINSECURE (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 sYYP-7R33 ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ortcfg 1Yg0zHCmd ger.test GOINSECURE GOMOD GOMODCACHE ger.test (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE 64 abis 64/pkg/tool/linux_amd64/compile env 1057086072 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 S1XHWmzm6 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 314184780/.github/workflows EFuVqG1PQ ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu/tmp/file-tracker-test2612060094/test2.lock.yml (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build1009383016/b414/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE go-sdk/internal/rev-parse abis 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git ility-kit.md Tbt35DxwQ ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu/tmp/go-build1009383016/b111/vet.cfg /usr/bin/git ortcfg GO111MODULE .cfg git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv g_.a 8kq6Gg-gh 64/pkg/tool/linux_amd64/compile GOINSECURE ack GOMODCACHE 64/pkg/tool/linux_amd64/compile estl�� g_.a Hgqea9f-D x_amd64/vet GOINSECURE tants GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE iE8t3kR/vbNrLVZ2rev-parse (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build1009383016/b425/importcfg -pack /tmp/go-build1009383016/b425/_testmain.go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env 296408/001 296408/002/work x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv xec.js (or misc/-s GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json l/errors/error.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq [.object.sha, .object.type] | @tsv ../pkg/workflow/js/**/*.json' ---p ame x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq [.object.sha, .object.type] | @tsv kflow/expression_builder.go git 64/bin/git --show-toplevel /usr/lib/git-cor-C /usr/bin/git bash --no�� json' --ignore-path ../../../.prettierignore git de/node/bin/git --show-toplevel 1/x64/bin/node /usr/bin/git cat (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv l.go l_test.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env ortcfg yi2fVdpoL ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE iat 64/src/runtime/muser.name 64/pkg/tool/linuTest User env -json gNtEbmW0N ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build1009383016/b418/importcfg -pack /tmp/go-build1009383016/b418/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build1009383016/b400/cli.test /tmp/go-build1009383016/b400/cli.test -test.testlogfile=/tmp/go-build1009383016/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build1340410715/b221/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot also add a field to control pull-requests

[Copilot]

@copilot also add a field to control pull-requests

Implemented in 3d22416 (follow-up cleanup in d57f5ea). Added on.status-comment.pull-requests boolean (default true) to independently control pull-request status comments, updated activation status-comment conditions and permission scoping/fallback behavior, and expanded schema/tests. No UI changes in this PR, so there’s no UI screenshot to provide.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build679563612/b123/embedcfg -pack (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build248180772/b345/embedcfg -pack (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name "prettier" --che-p GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go git for-�� --format=%(refna-p --merged=2a9b73fnet/http/internal 64/bin/go npx prettier --w/tmp/go-build1029673868/b409/constants.test go 64/bin/go y.s (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build1735970058/b390/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/internal/tools/actions-build/main.go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linu--auto /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/asm /usr/bin/gh -json GO111MODULE 64/bin/go gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts /usr/bin/git .artifacts[].namgit GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_explicit_repo558509327/00remote.origin.urgit config /usr/bin/git remote.origin.urgit --check 64/bin/go git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJavaScript1646651334/001/test-complex-frontmatter-with-tools.md -tests /usr/bin/git ck 'scripts/**/*git GO111MODULE 64/bin/go git -C /tmp/compile-instructions-test-2473886843/.github/workflows rev-parse /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ortcfg kTMme1tRE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse env report.md GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD 1698874/b007/sym--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel 7z/4P7r8Nx30lqcg9B8vwjI/_jU1qxM0sgM1d_TR1DWb /usr/bin/git g_.a GO111MODULE x_amd64/compile git rev-�� it/ref/tags/v4 x_amd64/compile sv g_.a JmzP4TwGo ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x-test.v=true /usr/bin/git /tmp/go-build429git -trimpath /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags /usr/bin/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 1698874/b047/_pkgit om/segmentio/enccommit ache/go/1.25.8/x-m git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuorigin /usr/bin/git 1698874/b089/_pkgit GO111MODULE x_amd64/vet git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu-m git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -srG6esp4 GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build4291698874/b240/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.36.0/language/coverage.go -c "prettier" --che-p GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GOCACHE 64/bin/go tierignore go ha8_stub.s go env -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -x .go 64/bin/go - --write 64/bin/go go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv add remote2 /usr/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 5970058/b458/workflow.test go 5970058/b458/importcfg.link -json GO111MODULE 64/bin/go CtHlVrADPtpyd/fsXLWyAjnnoOyidIDzfQ/dKtbMCw-Fq-yj_3M1sSn/cChIEn1CtHlVrADPtpyd init�� ry=1 go che/go-build/5c/5cef9e93ce1279fc9ce38e88b784ec8ba365532be3b0d63a24661cd35a7c2fe6-d -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 9673868/b458/_pkg_.a myorg 9673868/b458=> (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv v1.0.0 go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 9673868/b438/_pkg_.a -trimpath 9673868/b438=> -p main -lang=go1.25 /usr/lib/git-core/git --gi�� ny7r/Ftgp5jSlGySoaJuSny7r --format=%(objectname) /usr/bin/infocmp go1.25.8 -c=4 -nolocalimports infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv echo "��� All validations passed" GOPROXY /usr/lib/git-core/git-upload-pack GOSUMDB GOWORK 64/bin/go git-upload-pack /tmp�� GOMODCACHE l /opt/hostedtoolcache/node/24.14.1/x64/bin/node ck '**/*.cjs' '*git GO111MODULE 64/bin/go node (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260416-044142-73436/test-2256585428 status /usr/bin/git .github/workflowgit GO111MODULE f611e151d793f8e3--show-toplevel git rev-�� --show-toplevel h-aw.wasm; \ AFTER=$(wc -c < g /usr/bin/git ty-test.md GO111MODULE x_amd64/vet git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv g/timeutil/format.go g/timeutil/format_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile go1.25.8 -c=4 -nolocalimports ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -1 9673868/b450/_pkg_.a /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.36.0/internal/tag/tag.go 9673868/b450=> "prettier" --chegit GOPROXY 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv runs/20260416-044142-73436/test-2333631029/.github/workflows blob /bin/sh GOSUMDB GOWORK 64/bin/go /bin/sh -c git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch1168164062/001' l ache/node/24.14.1/x64/bin/node d69a3dcb53c3cffegit GO111MODULE 64/bin/go ache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -buildid r48K25Cv2sXeJpt1zLU2/r48K25Cv2sXeJpt1zLU2 ache/node/24.14.1/x64/bin/node -goversion go1.25.8 -c=4 infocmp t-37�� bility_SameInputSameOutput125122387/001/stability-test.md -pack /usr/bin/git "prettier" --chegit GOPROXY 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv runs/20260416-044142-73436/test-2333631029/.github/workflows --merged=3d2241651cb79e4274ec945f9f9e25c1b4c80e45 /usr/bin/git GOSUMDB GOWORK 64/bin/go git init�� --bare l e/git d57b711a832dfe81git GO111MODULE 64/bin/go e/git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name 0/language/coverage.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 333561749 sYAOo28ie 64/pkg/tool/linux_amd64/compile GOINSECURE util GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 rotocol/go-sdk@v1.5.0/oauthex/auth_meta.go 64/pkg/tool/linux_amd64/compile GOINSECURE (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity427355049/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/jsonrpc/js-nolocalimports 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a kLZAPaMu6 /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env 3375299669 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE pproxy GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_only_defaults_repo359089412/001 GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name emplate/v3@v3.0.2/compile.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE go-sdk/jsonrpc abis 64/src/reflect/asm_wasm.s (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 SUy_HbpQE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a InX8DV7o_ 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_only_defaults_repo359089412/00remote.origin.url GO111MODULE 64/pkg/tool/linux_amd64/cgo GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/cgo (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name 0/internal/language/compact/comp-c=4 64/pkg/tool/linux_amd64/compile GOINSECURE essage abis 64/pkg/tool/linux_amd64/compile env 333561749 ke8fejfLv ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 rotocol/go-sdk@v1.5.0/auth/auth.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile env 3830136316/.github/workflows NG8R67gve util.test GOINSECURE go-sdk/mcp GOMODCACHE util.test (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name LsRemoteWithRealGitbranch_with_hyphen3710536645/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity427355049/00remote.origin.url n.go 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuorigin (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name 4/apic.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile 64/s�� 333561749 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE age/compact GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu/tmp/file-tracker-test4164795390/test2.lock.yml (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 dyvKs137W 64/pkg/tool/linux_amd64/compile GOINSECURE (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name itbranch_with_hyphen3710536645/002/work 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name l.go 64/pkg/tool/linux_amd64/compile GOINSECURE .o 64/src/internal/--git-dir 64/pkg/tool/linux_amd64/compile env 333561749 DfcRFzBGz ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-tests (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 5.0/internal/doc.go 64/pkg/tool/linux_amd64/compile GOINSECURE 64 GOMODCACHE 64/pkg/tool/linutest@example.com env g_.a GO111MODULE ck GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity427355049/001 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name QWGZF_tJr 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env 333561749 bbyq8rTOi ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE til GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 5.0/deviceauth.g-c=4 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build1029673868/b446/_testmain.go env g_.a tVIFB3NxN ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE go-sdk/oauthex GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path 946542607/001' 946542607/001' 64/bin/go GOSUMDB GOWORK 64/bin/go git cat-�� --end-of-options-p blob 64/bin/go prettier --write 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linuremote1 env rity1822461942/001 Cy4PJHJpH 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel -extld=gcc /usr/bin/git Elygkb-do 64/src/runtime/mrev-parse Name,createdAt,s--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git efaultBranchFromls efaultBranchFrom-lh .cfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv g_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE js.o 64/src/syscall/js/js_js.s 64/pkg/tool/linux_amd64/compile estl�� g_.a VGplouFzy ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE tants GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1550884115 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv run lint:cjs 64/bin/go GOSUMDB GOWORK 64/bin/go sh _bra�� "prettier" --check 'scripts/**/*GOINSECURE prettier 64/bin/go scripts/**/*.js --ignore-path 64/bin/go go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile 6542�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env lGitmain_branch2946542607/001' lGitmain_branch2946542607/001' x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv npx prettier --c-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c Gitmaster_branch3335948060/001' Gitmaster_branch3335948060/001' 64/bin/go tierignore scripts/**/*.js 64/bin/go go (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq [.object.sha, .object.type] | @tsv assword=$GITHUB_TOKEN"; }; f get assword=$GITHUB_TOKEN"; }; f get x_amd64/vet HooksPath (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv l.go l_test.go 64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url estl�� g_.a b-AbBFuh- ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1550884115 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE ole GOMODCACHE 64/pkg/tool/linux_amd64/link env AsxZxLib9 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK run-script/lib/n/tmp/go-build4291698874/b232/_pkg_.a gcc -###�� -x .go 64/bin/go - --write 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build1029673868/b418/importcfg -pack /tmp/go-build1029673868/b418/_testmain.go @/tm�� ../../../.pretti-p node 64/bin/go prettier --write 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build1029673868/b400/cli.test /tmp/go-build1029673868/b400/cli.test -test.testlogfile=/tmp/go-build1029673868/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build4291698874/b224/importcfg -pack -c "prettier" --che-p GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go git (http block)
  • Triggering command: /tmp/go-build1735970058/b400/cli.test /tmp/go-build1735970058/b400/cli.test -test.testlogfile=/tmp/go-build1735970058/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD ode-gyp-bin/node-json go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name prettier --check 64/bin/go **/*.ts **/*.json --ignore-path git conf�� extensions.objec-p sh 64/bin/go npx prettier --w/tmp/go-build1029673868/b400/cli.test go 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD erignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)