Skip to content

fix: increase security-guard max-turns from 15 to 25#1856

Merged
lpcox merged 1 commit intomainfrom
fix/security-guard-max-turns
Apr 9, 2026
Merged

fix: increase security-guard max-turns from 15 to 25#1856
lpcox merged 1 commit intomainfrom
fix/security-guard-max-turns

Conversation

@lpcox
Copy link
Copy Markdown
Collaborator

@lpcox lpcox commented Apr 9, 2026

Problem

The Security Guard agent hits the 15-turn limit on large PRs (e.g., 29-file workflow recompiles with ~979KB diffs). The agent spends several turns handling oversized MCP payloads (354K+ tokens) that exceed Claude Code's 25K Read limit, then falls back to alternative strategies, leaving insufficient turns to complete the review.

Observed in run 24207729211 on PR #1845. The agent correctly concluded 'no security issues' and called noop, but had already consumed all 15 turns getting there → error_max_turns → exit code 1.

Fix

Increase max-turns from 15 to 25 in security-guard.md, giving adequate headroom for large diffs without being wasteful.

@lpcox lpcox requested a review from Mossaka as a code owner April 9, 2026 21:26
Copilot AI review requested due to automatic review settings April 9, 2026 21:26
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 9, 2026
edited
Loading

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 85.85% 85.95% 📈 +0.10%
Statements 85.76% 85.85% 📈 +0.09%
Functions 87.54% 87.54% ➡️ +0.00%
Branches 78.56% 78.61% 📈 +0.05%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/docker-manager.ts 86.3% → 86.6% (+0.36%) 85.9% → 86.2% (+0.35%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts the Security Guard agent configuration to allow more interaction turns on large pull requests, aiming to prevent error_max_turns failures during security reviews.

Changes:

  • Increased the Claude engine max-turns in security-guard.md from 15 to 25.
  • Recompiled the corresponding workflow lock file so the generated workflow runs Claude with --max-turns 25 and updates related compiled metadata/tooling.
Show a summary per file
File Description
.github/workflows/security-guard.md Raises the Security Guard agent turn budget to handle larger PRs.
.github/workflows/security-guard.lock.yml Regenerates the compiled workflow to reflect the new max-turns (and includes additional compiler-generated updates).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1

.github/workflows/security-guard.lock.yml Outdated
Comment on lines +1 to +2
# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"fdc5d074ff6aa249000e70a95557cfdc669f36e497595e5bab8632bfe18005ff","compiler_version":"v0.67.4","strict":true,"agent_id":"claude"}
# gh-aw-manifest: {"version":1,"secrets":["ANTHROPIC_API_KEY","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"ed597411d8f924073f98dfc5c65a23a2325f34cd","version":"v8"},{"repo":"actions/setup-node","sha":"53b83947a5a98c8d113130e565377fae1a50d02f","version":"v6.3.0"},{"repo":"actions/upload-artifact","sha":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","version":"v7"},{"repo":"github/gh-aw-actions/setup","sha":"9d6ae06250fc0ec536a0e5f35de313b35bad7246","version":"v0.67.4"}]}
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is described as only increasing Security Guard max-turns, but the regenerated lock file also bumps the gh-aw compiler/actions versions (v0.67.2 → v0.67.4) and changes multiple workflow behaviors (e.g., pinning AWF/Claude Code versions, adding new permissions/steps, changing install & image handling). If these broader changes are intentional, please update the PR title/description to reflect the scope; otherwise, consider recompiling with the previous gh-aw version or splitting the lockfile recompile into a separate PR to keep this change narrowly scoped.

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot mentioned this pull request Apr 9, 2026
Open
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-actions github-actions bot mentioned this pull request Apr 9, 2026
Closed
@lpcox
fix: increase security-guard max-turns from 15 to 25
aea2b72 
The security guard agent was hitting the 15-turn limit on large PRs
(e.g., 29-file workflow recompiles with ~979KB diffs). The agent spends
several turns handling oversized MCP payloads before falling back to
alternative strategies, leaving insufficient turns to complete the review.

Increasing to 25 turns gives adequate headroom for large diffs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lpcox lpcox force-pushed the fix/security-guard-max-turns branch from 6b4e8d0 to aea2b72 Compare April 9, 2026 21:36
@github-actions github-actions bot mentioned this pull request Apr 9, 2026
Open
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 9, 2026

Smoke Test Results

GitHub MCP: fix: increase claude-token-usage-analyzer timeout to 45 minutes / test: add regression tests for cli-proxy validated fixes from #1820
Playwright: GitHub page title verified ("GitHub · Change is constant...")
File Write: /tmp/gh-aw/agent/smoke-test-claude-24214577220.txt created
Bash: File content verified via cat

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

@lpcox lpcox enabled auto-merge (squash) April 9, 2026 21:43
@lpcox lpcox disabled auto-merge April 9, 2026 21:43
@lpcox lpcox merged commit 7786971 into main Apr 9, 2026
53 of 56 checks passed
@lpcox lpcox deleted the fix/security-guard-max-turns branch April 9, 2026 21:43
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 9, 2026

PRs: "fix: rewrite squid_https_latency to use background containers" | "fix: increase claude-token-usage-analyzer timeout to 45 minutes"
GitHub MCP (last 2 merged PRs): ✅
safeinputs-gh PR query (2 PRs): ❌
Playwright title contains "GitHub": ❌
Tavily search returned >=1 item: ❌
File write /tmp/gh-aw/agent/smoke-test-codex-24214577182.txt: ✅
Bash cat verification: ✅
Discussion query + mystical discussion comment: ❌
Build (npm ci && npm run build): ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 9, 2026

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1856 · ● 1.2M ·

@github-actions github-actions bot mentioned this pull request Apr 9, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Mossaka Mossaka Awaiting requested review from Mossaka Mossaka is a code owner

Assignees

No one assigned

Labels

build-test smoke-claude

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox