fix: handle auth errors gracefully in MCP Gateway Log Analyzer#4878
Merged
fix: handle auth errors gracefully in MCP Gateway Log Analyzer#4878
Conversation
When GH_AW_MCP_MULTIREPO_TOKEN does not have access to github/gh-aw, the agent was calling report_incomplete which triggered creation of a failure issue. Fix by: - Adding Step 0 Pre-flight Access Check that tests repo access early - Instructing agent to use missing_data + noop (not report_incomplete) when it encounters 401/403/404 errors on github/gh-aw - Adding "Access and Authentication Errors" section to guidelines reinforcing that auth failures are config issues, not analysis failures Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/7e198272-aed2-4c77-8d0a-2d2389e005c5 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Debug MCP Gateway Log Analyzer workflow failure
fix: handle auth errors gracefully in MCP Gateway Log Analyzer
Apr 30, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the MCP Gateway Log Analyzer workflow guidance to avoid treating GitHub access/auth failures (e.g., missing GH_AW_MCP_MULTIREPO_TOKEN access to github/gh-aw) as analysis failures, so the automation exits gracefully instead of generating spurious failure issues.
Changes:
- Adds a Step 0 pre-flight repo access check using a lightweight
list_workflow_runsprobe. - Specifies new handling for 401/403/404 by emitting
missing_datathennoop(and explicitly forbidsreport_incompletefor auth failures). - Adds an “Access and Authentication Errors” guidelines section to clarify correct signaling.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/mcp-gateway-log-analyzer.md | Adds pre-flight access check + updated guidance for auth/permission failures using missing_data + noop. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 1
| - **DO NOT use `report_incomplete`** — authentication failures are a configuration issue, not an analysis failure. | ||
| - Emit `missing_data` with: | ||
| - `data_type`: `workflow_runs` | ||
| - `reason`: `Authentication failed (401 Bad credentials): GH_AW_MCP_MULTIREPO_TOKEN does not have access to github/gh-aw. The token may be expired or missing the required repository permissions (actions:read).` |
There was a problem hiding this comment.
The suggested missing_data.reason value for the 401 case is much longer than this workflow’s Safe Outputs validation allows (reason maxLength is 256). If the agent emits this verbatim, the safe-outputs handler will reject the output and can cause the run to fail (undoing the goal of graceful auth handling). Please shorten reason to <=256 characters and move the longer explanation into the noop.message (or keep extra detail in context).
Suggested change
| - `reason`: `Authentication failed (401 Bad credentials): GH_AW_MCP_MULTIREPO_TOKEN does not have access to github/gh-aw. The token may be expired or missing the required repository permissions (actions:read).` | |
| - `reason`: `Authentication failed (401 Bad credentials): token cannot access github/gh-aw.` |
This was referenced Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Log Analyzer agent was calling
report_incompleteon 401 Bad Credentials errors fromgithub/gh-aw, causing the conclusion job to create a spurious failure issue on every run whereGH_AW_MCP_MULTIREPO_TOKENlacks access to that repo.Changes
github/gh-awaccess with a single lightweight API call before doing any analysis work; fails fast with the right signals rather than discovering the auth error mid-taskmissing_data(records what was unavailable and why) thennoop(completes gracefully); explicitly forbidden from usingreport_incompletefor auth failuresreport_incompleteis reserved for genuine analysis failures, not expired/misconfigured tokensThe lock.yml is untouched — its frontmatter hash remains valid because only the
.mdbody changes, which is imported at runtime via{{#runtime-import}}.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
example.com/tmp/go-build183694268/b513/launcher.test /tmp/go-build183694268/b513/launcher.test -test.testlogfile=/tmp/go-build183694268/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s -W .cfg 9654054/b314/ x_amd64/vet . --gdwarf2 --64 x_amd64/vet 9654�� .cfg ache/go/1.25.9/x-ifaceassert x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet(dns block)invalid-host-that-does-not-exist-12345.com/tmp/go-build183694268/b495/config.test /tmp/go-build183694268/b495/config.test -test.testlogfile=/tmp/go-build183694268/b495/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build183694268/b393/vet.cfg 1.80.0/resolver/dns/dns_resolver.go aw-mcpg/internal/difc/capabilities.go x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet --de�� g_.a --debug-prefix-m-ifaceassert x_amd64/vet -I gzip -I x_amd64/vet(dns block)nonexistent.local/tmp/go-build183694268/b513/launcher.test /tmp/go-build183694268/b513/launcher.test -test.testlogfile=/tmp/go-build183694268/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s -W .cfg 9654054/b314/ x_amd64/vet . --gdwarf2 --64 x_amd64/vet 9654�� .cfg ache/go/1.25.9/x-ifaceassert x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet(dns block)slow.example.com/tmp/go-build183694268/b513/launcher.test /tmp/go-build183694268/b513/launcher.test -test.testlogfile=/tmp/go-build183694268/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s -W .cfg 9654054/b314/ x_amd64/vet . --gdwarf2 --64 x_amd64/vet 9654�� .cfg ache/go/1.25.9/x-ifaceassert x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet(dns block)this-host-does-not-exist-12345.com/tmp/go-build183694268/b522/mcp.test /tmp/go-build183694268/b522/mcp.test -test.testlogfile=/tmp/go-build183694268/b522/testlog.txt -test.paniconexit0 -test.timeout=10m0s -I .cfg vi4A/zemEcZckQEXwB9lkvi4A x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet .cfg�� 9654054/b395/_pkg_.a ache/go/1.25.9/x64/src/database/sql/driver/driver.go x_amd64/vet --gdwarf-5 g/grpc/balancer/--version -o x_amd64/vet(dns block)If you need me to access, download, or install something from one of these locations, you can either: