fix: increase token optimizer timeout and tighten prompt by lpcox · Pull Request #1990 · github/gh-aw-firewall

lpcox · 2026-04-15T16:40:19Z

Summary

Fixes the Daily Claude Token Optimization Advisor timeout failure (#1989).

Changes

Increase timeout-minutes from 15 to 25 — the agent was actively working (analyzing workflows and about to create the issue) when killed at the 15-minute mark
Add focus instruction — explicit IMPORTANT: Stay focused directive prevents the agent from exploring unrelated workflow files (the failed run showed it reading security-guard.lock.yml and dependency-security-monitor.md instead of staying on the target workflow)
Trim redundant prompt sections — removed post-agent steps mention (not used), condensed Step 4 analysis instructions to reduce prompt token overhead

Testing

Compiled and post-processed successfully. The next scheduled run (or manual workflow_dispatch) will validate the fix.

Closes #1989

- Increase timeout-minutes from 15 to 25 to prevent premature termination (the agent was actively working when killed) - Add focus instruction to prevent agent from exploring unrelated workflow files - Trim redundant prompt sections to reduce token overhead - Remove post-agent steps mention (not used in this workflow) Closes #1989 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot

Pull request overview

Adjusts the “Daily Claude Token Optimization Advisor” agentic workflow to avoid premature termination during long optimization runs and to better constrain agent behavior to the intended target workflow.

Changes:

Increased agent execution timeout from 15 to 25 minutes.
Tightened/trimmed the agent prompt to reduce wandering and token overhead.
Recompiled the workflow lock file (also pulling in newer gh-aw-generated runtime details).

Show a summary per file

File	Description
.github/workflows/claude-token-optimizer.md	Raises timeout and updates the agent instructions to stay focused and reduce prompt verbosity.
.github/workflows/claude-token-optimizer.lock.yml	Regenerated compiled workflow reflecting the new timeout/prompt and updated gh-aw compilation output.
.github/aw/actions-lock.json	Updates pinned action entries associated with gh-aw actions.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (2)

.github/workflows/claude-token-optimizer.md:124

“Read only the target workflow file” is at odds with Step 3’s suggested grep -rl ... .github/workflows/*.md name-resolution approach, which necessarily scans other workflow files. To avoid confusing the agent, clarify that it may scan other workflows only to resolve the correct filename (e.g., grep for a matching name:), but should not open/read unrelated workflow contents beyond that.

- **Pre-agent steps** \u2014 Does it use `steps:` to pre-compute deterministic work?

Read **only** the target workflow file. Do not explore other workflow files.

.github/workflows/claude-token-optimizer.lock.yml:863

This workflow no longer uploads a dedicated firewall-audit-logs artifact (unlike the other generated *.lock.yml workflows in this repo), and instead bundles firewall logs/audit into the agent artifact. If any tooling or runbooks expect the separate artifact name, this is a behavior change; consider restoring the separate upload step or confirming/aligning the artifact conventions across workflows.

            /tmp/gh-aw/safeoutputs.jsonl
            /tmp/gh-aw/agent_output.json
            /tmp/gh-aw/sandbox/firewall/logs/
            /tmp/gh-aw/sandbox/firewall/audit/
          if-no-files-found: ignore

Files reviewed: 3/3 changed files
Comments generated: 3

Copilot · 2026-04-15T16:45:11Z


 You are an AI agent that reads the latest Claude token usage report and produces **concrete, actionable optimization recommendations** for the most token-intensive Claude-engine workflow.

+**IMPORTANT:** Stay focused on the task. Follow these steps in order. Do not explore unrelated workflows or files beyond the single target workflow. Use only the pre-downloaded data and the target workflow file.


The new constraint “Use only the pre-downloaded data and the target workflow file” conflicts with Step 1/2, which requires querying GitHub issues to find/read the latest token usage report. Consider rewording to allow fetching the report issue via gh issue ... (and other explicitly-listed commands), while still prohibiting reading unrelated workflow files.

This issue also appears on line 121 of the same file.

Suggested change

**IMPORTANT:** Stay focused on the task. Follow these steps in order. Do not explore unrelated workflows or files beyond the single target workflow. Use only the pre-downloaded data and the target workflow file.

**IMPORTANT:** Stay focused on the task. Follow these steps in order. Do not explore unrelated workflows or files beyond the single target workflow. Use only: (1) the pre-downloaded data, (2) the Claude token usage report issue fetched via the explicitly requested `gh issue ...` commands in these steps, and (3) the single target workflow file. Do not read unrelated workflow files or other repository files.

Copilot · 2026-04-15T16:45:12Z

+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"a80a10815f6d3ee18387312f506d991627021d1f9ab84011841632e62137b1bd","compiler_version":"v0.68.2","strict":true,"agent_id":"copilot"}
+# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"19c436149e80e5be4f0adbd9cdeb391acea5fa91","version":"v0.68.2"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.20"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.19"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0"},{"image":"node:lts-alpine"}]}


The regenerated lock file includes a broader gh-aw/tooling upgrade (compiler v0.68.2, container image bumps, new scripts/flags) in addition to the timeout/prompt tweaks described in the PR. If the intent is only to change timeout/prompt, consider recompiling with the existing gh-aw version to keep the diff minimal, or explicitly call out the upgrade in the PR description since it changes runtime behavior.

This issue also appears on line 859 of the same file.

Copilot · 2026-04-15T16:45:12Z

-      "sha": "2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc"
+      "version": "v0.68.2",
+      "sha": "19c436149e80e5be4f0adbd9cdeb391acea5fa91"
    },


.github/aw/actions-lock.json dropped the github/gh-aw-actions/setup-cli@v0.68.1 entry, but that action is still referenced elsewhere (e.g., .github/workflows/agentics-maintenance.yml uses github/gh-aw-actions/setup-cli@... # v0.68.1). If this lock file is used to drive/validate action pinning during gh aw upgrade, consider keeping a setup-cli entry (and any other still-in-use actions) until those workflows are upgraded too.

Suggested change

},

},

"github/gh-aw-actions/setup-cli@v0.68.1": {

"repo": "github/gh-aw-actions/setup-cli",

"version": "v0.68.1",

"sha": "REPLACE_WITH_THE_PREVIOUSLY_LOCKED_V0_68_1_SHA"

},

Reword the IMPORTANT directive to explicitly allow: - Fetching the token usage report issue via gh issue commands - Scanning workflow filenames via grep to resolve the target - Reading the single target workflow file While still prohibiting reading unrelated workflow contents. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

github-actions · 2026-04-15T16:54:49Z

Smoke Test Results

✅ GitHub MCP: fix(api-proxy): address review comments on OpenCode port 10004 routing #1984 fix(api-proxy): address review comments on OpenCode port 10004 routing / fix(api-proxy): OpenCode port 10004 defaults to Copilot/OpenAI routing instead of Anthropic #1979 fix(api-proxy): OpenCode port 10004 defaults to Copilot/OpenAI routing instead of Anthropic
✅ Playwright: github.com title contains "GitHub"
✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-24467006847.txt created
✅ Bash: File content verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-04-15T16:55:05Z

Smoke Test Results

Test	Status
GitHub MCP (`list_pull_requests`)	❌ No MCP server available
GitHub.com HTTP connectivity	⚠️ Pre-step data not resolved
File write/read	⚠️ Pre-step data not resolved

Overall: FAIL

PR: "fix: increase token optimizer timeout and tighten prompt" by @lpcox (no assignees)

Note: Pre-computed test data (SMOKE_HTTP_CODE, SMOKE_FILE_PATH, SMOKE_FILE_CONTENT) were not resolved — workflow step outputs did not propagate.

📰 BREAKING: Report filed by Smoke Copilot

github-actions · 2026-04-15T16:56:18Z

Smoke test matrix:

PR title: fix(api-proxy): OpenCode port 10004 defaults to Copilot/OpenAI routing instead of Anthropic
PR title: fix(api-proxy): address review comments on OpenCode port 10004 routing
GitHub MCP review: ✅
safeinputs-gh CLI query: ❌
Playwright github.com title contains "GitHub": ✅
Tavily search: ❌
File write + bash cat: ✅
Discussion query + mystical discussion comment: ❌
Build (npm ci && npm run build): ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

github-actions · 2026-04-15T16:57:23Z

Smoke Test: GitHub Actions Services Connectivity ✅

All connectivity checks passed.

Service	Check	Result
Redis	`PING` → `host.docker.internal:6379`	✅ `PONG`
PostgreSQL	`pg_isready` → `host.docker.internal:5432`	✅ accepting connections
PostgreSQL	`psql SELECT 1` → `smoketest` db as `postgres`	✅ returned `1`

Note: redis-cli was not available in the environment; Redis was verified via raw TCP socket (sent PING, received +PONG).

🔌 Service connectivity validated by Smoke Services

github-actions · 2026-04-15T16:57:25Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1990 · ● 707.6K · ◷

lpcox requested a review from Mossaka as a code owner April 15, 2026 16:40

Copilot AI review requested due to automatic review settings April 15, 2026 16:40

Copilot started reviewing on behalf of lpcox April 15, 2026 16:40 View session