Skip to content

fix(design-decision-gate): add git ls-remote permission, raise turn limit to 20, add MCP fallback#28353

Merged
pelikhan merged 2 commits intomainfrom
copilot/aw-failures-fix-bash-permissions
Apr 24, 2026
Merged

fix(design-decision-gate): add git ls-remote permission, raise turn limit to 20, add MCP fallback#28353
pelikhan merged 2 commits intomainfrom
copilot/aw-failures-fix-bash-permissions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 24, 2026
edited
Loading

design-decision-gate was exhausting all 15 turns on copilot/* PRs because git ls-remote was not in the allowed-tools list and there was no fallback when pre-fetched context files were unavailable.

Changes

  • Bash permissions: Added git ls-remote:* to allowed tools — the agent was hitting permission denials on git ls-remote origin "copilot/*" with no recovery path

  • Turn limit: Raised max-turns 15 → 20 to accommodate this workflow's research + reasoning + safe-output pattern; denied commands were consuming turns before any useful work happened

  • Prompt fallback: Added explicit MCP fallback table so the agent immediately switches to the equivalent GitHub MCP tool instead of retrying a denied/missing file read:

    Missing file Fallback
    pr.json mcp__github__get_pull_request
    pr-files.json mcp__github__get_pull_request_files
    pr.diff mcp__github__get_pull_request_diff
    adr-prefetch-summary.json compute from PR files + labels

  • Lock file: Recompiled — --max-turns 20, Bash(git ls-remote:*) now appears in --allowed-tools

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name 64/pkg/tool/linu-nolocalimports GOINSECURE 1998194/b011/intrev-parse ache/go/1.25.8/x--show-toplevel 64/pkg/tool/linu/tmp/go-build2173760829/b466/_testmain.go (http block)
    • Triggering command: /usr/bin/gh gh repo view owner/repo env 774215487 wDwi/8TvZlM4P0nfuVfRvwDwi 64/pkg/tool/linux_amd64/link GOINSECURE fips140/ecdsa GOMODCACHE 64/pkg/tool/linux_amd64/link -c ger.test flge/CEDVAjFSK2LRG6vPflge ortcfg.link -n1 --format=format:config --end-of-options--get-regexp 9Ym34G_sfJyM6o-I^remote\..*\.gh-resolved$ (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git y_with_repos=pubgit .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git gh-aw.wasm ($(dunode cYAj/2RoSUfAH8dM/opt/hostedtoolcache/node/24.14.1/x64/bin/npm ache/go/1.25.8/xinstall git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 87/001/test-inligit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/xinstall git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -json GO111MODULE x_amd64/vet /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool l /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/compile-instructions-test-3235495728/.github/workflows rev-parse /usr/bin/git ath ../../../.prgit GO111MODULE 64/bin/go git init�� GOMODCACHE go /usr/bin/git re GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ugs5kA4FK -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p internal/oserrordiff -lang=go1.25 ache/go/1.25.8/x--name-only ortc�� st-416940669/.github/workflows stmain.go 1/x64/bin/node -p crypto/rc4 -lang=go1.25 /opt/hostedtoolcache/go/1.25.8/xremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel -extld=gcc /usr/bin/git se 3760829/b049/vet\n .cfg git rev-�� --show-toplevel N_/MhA652aEkSuR81 /usr/bin/git Onlymin-integritgit 3760829/b250/vetrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x-dwarf=false /usr/bin/git /tmp/go-build217git stmain.go ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu/tmp/go-build217-name /usr/bin/git --show-toplevel -goversion /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv sistency_InlinedImports3409910952/001/inlined-b.md remote /usr/bin/gh -json 1.5.0/internal/jrev-parse x_amd64/compile gh api /repos/actions/github-script/git/ref/tags/v9 --jq ache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -closer.lock.yml-json l epo.git -json GO111MODULE 64/bin/go git -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_only_defaults_repo4018520170/001 rev-parse /usr/bin/git -json GO111MODULE /prettier git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git 4281942968 -trimpath .cfg git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 3760829/b424/_pkgit /tmp/go-build217rev-parse 3760829/b424=> git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 4015-60396/test-git GO111MODULE k/_temp/uv-pytho-m git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE e/git-upload-pac--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build2173760829/b438/importcfg -pack /tmp/go-build2173760829/b438/_testmain.go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json g/catalog.go x_amd64/compile GOINSECURE GOMOD bytealg/compare_--show-toplevel x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git -json .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linutest@example.com /usr/bin/infocmp ortcfg GO111MODULE 64/pkg/tool/linu--show-toplevel infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv xterm-color go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_explicit_repo3487475889/001 config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/compile git rev-�� mpleWorkflow1678543573/001 l /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/git e=false Ffa_H-Eee 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v FK/4S-KjLZhAbqjP68Vh2dK/cACoDFtjremote /usr/bin/infocmp ortcfg .cfg 64/pkg/tool/linu--show-toplevel infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv . go /usr/bin/git -json GO111MODULE 64/bin/go git -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_explicit_repo3705266349/001 config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ons-test1571665813 -extld=gcc ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -json GO111MODULE x_amd64/compile ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile conf�� 3760829/b472/_pkg_.a remote.origin.url 3760829/b472=> -json @v6.0.2/kind/kinrev-parse x_amd64/compile node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -aw/git/ref/tags/v1.2.3 -test.v=true ache/node/24.14.1/x64/bin/node -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel ache/node/24.14.1/x64/bin/node 6295�� /tmp/TestHashStability_SameInputSameOutput1482811766/001/stability-test.md go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv user.email ings.cjs es/.bin/git --verify st/suppress-warn-o f5ebcf23..featur/tmp/go-build2423632712/b001/_pkg_.a forks.js bran�� -M st/suppress-warnmain ache/node/24.14.-lang=go1.25 HEAD -aw/aw-test-owne--experimental-import-meta-resolve run-script/lib/n--require st/dist/workers//home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv . tions/setup/js/node_modules/vite--stdout $name) { hasDiscussionsEnabled } } --verify --quiet e_modules/.bin/g-m git diff�� --binary 86e60dc7256cd8fdb6a84e62498140642d81f821..73f67492e9577fbf827ef414ab7d66d220fa93f2 t est-change ode_modules/vite-C modules/@npmcli//home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch user.name tions/setup/js/node_modules/vitest/suppress-warnings.cjs 64/pkg/tool/linux_amd64/link git git ache/node/24.14./home/REDACTED/work/gh-aw/gh-aw 64/pkg/tool/linushow bran�� /complex t-patch-utils-dg8TD3/.diffsize.tmp ortcfg.link --is-ancestor k/gh-aw/gh-aw/ac-C ache/node/24.14./home/REDACTED/work/gh-aw/gh-aw/.github/workflows fzSpgfQ4_KfuGE_aconfig (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch . ache/node/24.14.--output=/tmp/git-patch-utils-FokQZo/.diffsize.tmp me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } --require k/gh-aw/gh-aw/ac-C /git go run k/gh-aw/gh-aw/.github/workflows k/gh-aw/gh-aw/acfalse escape.lock.yml feature | cat /egit git ache/uv/0.11.7/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows go (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linuremote.origin.url /usr/bin/gh le-frontmatter.mgit .cfg 64/pkg/tool/linu--show-toplevel gh run list --json /usr/bin/git --workflow nonexistent-workrev-parse --limit git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel go (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 3760829/b459/tty.test rev-parse 3760829/b459/importcfg.link -json GO111MODULE x_amd64/compile XHjoE8hqd2SJr/Mm0ui0x2Iv4Z-LYbBHBh/hKJC44cVKMHVnpBvTgXO/G1KutSxXHjoE8hqd2SJr -C ry=1 url 3760829/b459/_pkg_.a 01 GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git -C /tmp/gh-aw-test-runs/20260424-21.artifacts[].name remote /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet 160089094/001' 160089094/001' 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ons-test1571665813 x_amd64/asm /usr/bin/git -json GO111MODULE x_amd64/compile git -C /tmp/gh-aw-test-runs/20260424-213608-35391/test-774215487 l /opt/hostedtoolcache/node/24.14.1/x64/bin/node 01 GO111MODULE 64/bin/go node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJavaScript3226589987/001/test-simple-frontmatter.md go /usr/bin/git -json GO111MODULE 64/bin/go git -C /tmp/gh-aw-test-runs/20260424-214015-60396/test-1411961002/.github/workflows config /usr/bin/git remote.origin.urgit GO111MODULE modules/@npmcli/--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1812639927/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE g/x/net/http/httrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuconfig (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE ntio/asm/cpu GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2445266963/custom/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE k/_temp/uv-python-dir/sh GOINSECURE GOMOD GOMODCACHE go env 4015-60396/test-2288973154 GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name om/modelcontextprotocol/go-sdk@v1.5.0/internal/m-ifaceassert 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/sha3 GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2600160147 Ldjv/q8rDzC5dO2KyVIFwLdjv 64/pkg/tool/linux_amd64/compile GOINSECURE contextprotocol/config GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 774215487 gNV_/-ERQMY_tDmUJytyNgNV_ .cfg GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go k/gh�� RequiresMinIntegrity3314376284/001 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD erignore ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name om/modelcontextprotocol/go-sdk@v1.5.0/internal/j-ifaceassert 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/sha512 GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2600160147 go .cfg GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/aes GOMODCACHE 64/pkg/tool/linux_amd64/vet env 774215487 qrnP/bIu9B-2Kyy25-yTJqrnP .cfg GOINSECURE hpke GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go k/gh�� -json GO111MODULE 1/x64/bin/node GOINSECURE GOMOD erignore ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE ntio/asm/cpu/armrev-parse ache/go/1.25.8/x--git-dir 64/pkg/tool/linux_amd64/vet env 1998194/b225/_pkg_.a GO111MODULE k GOINSECURE ce GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE ache/uv/0.11.7/x86_64/sh GOINSECURE GOMOD GOMODCACHE go env 4015-60396/test-2288973154 GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name rg/x/mod@v0.35.0/semver/semver.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 1998194/b007/sym--git-dir sY5xy3c/9ezsDU_VWw7VJguVlRAx ache�� 1998194/b214/_pkg_.a taK6/ikh7gQ1RReQdq87ptaK6 k GOINSECURE g/x/net/http/htt/tmp/js-hash-test-953598808/test-hash.js GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1998194/b228/_pkg_.a .cfg ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE l/httpcommon GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-goversion (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ck 'scripts/**/*.js' --ignore-path .prettierignore GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linu-test.short=true GOINSECURE GOMOD 1998194/b007/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 1812639927/.github/workflows fWCy/na03iXLzDBM34i--fWCy util.test GOINSECURE b/gh-aw/pkg/semvrev-parse GOMODCACHE util.test (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 1998194/b012/indrev-parse ache/go/1.25.8/x--show-toplevel 64/pkg/tool/linux_amd64/vet env 1998194/b237/_pkg_.a 4ACQ/f02Eva1ttQPQuPWq4ACQ ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE t/message GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuconfig (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE bin/sh GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*.js' --ignore-path .prettierignore GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1812639927 zBGz/yhMlvprrXT_DfcRFzBGz ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE b/gh-aw/pkg/actirev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 .cfg 64/pkg/tool/linu-nolocalimports GOINSECURE ntio/asm/keyset ache/go/1.25.8/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-persona-explorer.md 64/pkg/tool/linu/tmp/go-build2173760829/b459/_testmain.go env 2445266963 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE ache/go/1.25.8/x64/bin/sh GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*.js' --ignore-path .prettierignore GO111MODULE ache/node/24.14.1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build2173760829/b419/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json age/compact/compact.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1998194/b205/_pkg_.a bYse/Agvt9vB4Z3tFs27lbYse .cfg GOINSECURE fips140/tls13 GOMODCACHE ache/go/1.25.8/xremote.origin.url (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build2173760829/b404/cli.test /tmp/go-build2173760829/b404/cli.test -test.testlogfile=/tmp/go-build2173760829/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /tmp/go-build4086921900/b404/cli.test /tmp/go-build4086921900/b404/cli.test -test.testlogfile=/tmp/go-build4086921900/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git 3608-35391/test-git -trimpath ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/xowner/repo /usr/bin/git 3608-35391/test-ls -trimpath 3760829/b201/vet/tmp/gh-aw/aw-feature-branch.patch git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE k/gh-aw/gh-aw/ac--show-toplevel /usr/bin/git remo�� -v go /usr/bin/git Onlymin-integritls GO111MODULE ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv se 3760829/b015/vet.cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 1/x64/bin/npx GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json c7a24b451777b119-c=4 x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD sm_wasm.s x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env Gitmaster_branch1109960572/001' Gitmaster_branch1109960572/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv se 3760829/b014/vet.cfg ck GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet sRem�� 1998194/b135/importcfg -trimpath .cfg -I /tmp/go-build356run -I ache/go/1.25.8/x12345 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE tions/setup/js/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE b/gh-aw/pkg/consrev-parse ache/go/1.25.8/x--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE e/git env -json GO111MODULE /node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE sh (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build2173760829/b424/importcfg -pack /tmp/go-build2173760829/b424/_testmain.go env -json r/common.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state 64/pkg/tool/linux_amd64/compile GOINSECURE contextprotocol/config GOMODCACHE 64/pkg/tool/linuremote.origin.url buil�� g_.a -o x_amd64/vet ./cmd/gh-aw-wasmgh er 64/bin/go x_amd64/vet (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json gset/set.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 1998194/b228/_pkg_.a .cfg ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE l/httpcommon GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-goversion (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch GOMODCACHE go /usr/bin/git 01 GO111MODULE 64/bin/go git remo�� GOMODCACHE go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • invalid.example.invalid
    • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� --local --get ode_modules/.bin/git user.email test@example.com--git-dir=/tmp/bare-incremental-mvJ9Ti it git comm�� -m Initial commit tions/setup/node_modules/.bin/git --bare --initial-branchadd k/gh-aw/node_modagent-change.txt git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 24, 2026 that may be closed by this pull request
[aw-failures] Design Decision Gate: max-turns failure ($0.72/run) — bash permission denials block context file reads on copilot/* PRs #28325
Closed
Copilot AI changed the title [WIP] Fix bash permission denials in copilot PRs fix(design-decision-gate): add git ls-remote permission, raise turn limit to 20, add MCP fallback Apr 24, 2026
Copilot AI requested a review from gh-aw-bot April 24, 2026 21:46
@pelikhan pelikhan marked this pull request as ready for review April 24, 2026 21:47
Copilot AI review requested due to automatic review settings April 24, 2026 21:47
@pelikhan pelikhan merged commit f01a9d1 into main Apr 24, 2026
19 checks passed
@pelikhan pelikhan deleted the copilot/aw-failures-fix-bash-permissions branch April 24, 2026 21:47
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the design-decision-gate workflow configuration to reduce turn exhaustion and improve recovery when required PR context isn’t available via prefetched files.

Changes:

  • Increased the Claude hard turn budget from 15 to 20 turns.
  • Added git ls-remote:* to the workflow’s allowed bash tools.
  • Documented an explicit fallback mapping from missing prefetched files to GitHub MCP tools.
Show a summary per file
File Description
.github/workflows/design-decision-gate.md Raises turn budget, allows git ls-remote, and adds MCP fallback instructions for missing prefetched context.
.github/workflows/design-decision-gate.lock.yml Regenerated compiled lockfile to reflect the updated max-turns and allowed tools.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1

Comment thread .github/workflows/design-decision-gate.md
bash:
- "git diff:*"
- "git log:*"
- "git ls-remote:*"
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allowing git ls-remote:* grants the agent a generic network-capable git command that can be invoked against arbitrary URLs (e.g., git ls-remote https://...), which expands the workflow’s egress surface beyond the stated need (origin "copilot/*"). Consider narrowing this permission to only the required invocation(s), such as scoping it to the origin remote (or even the copilot/* pattern) if the tool-allowlist syntax supports it, to reduce unintended network access.

Suggested change
- "git ls-remote:*"
- "git ls-remote:origin copilot/*"

Copilot uses AI. Check for mistakes.
This was referenced Apr 24, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan pelikhan approved these changes

@gh-aw-bot gh-aw-bot Awaiting requested review from gh-aw-bot

Assignees

Copilot code review Copilot

@gh-aw-bot gh-aw-bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[aw-failures] Design Decision Gate: max-turns failure ($0.72/run) — bash permission denials block context file reads on copilot/* PRs

4 participants

@pelikhan @gh-aw-bot