Skip to content

fix: exclude proxy-tls from agent artifact upload to prevent EACCES failure#22853

Merged
pelikhan merged 2 commits intomainfrom
copilot/investigate-issue
Mar 25, 2026
Merged

fix: exclude proxy-tls from agent artifact upload to prevent EACCES failure#22853
pelikhan merged 2 commits intomainfrom
copilot/investigate-issue

Conversation

Copy link
Contributor

Copilot AI commented Mar 25, 2026
edited
Loading

The DIFC proxy writes a TLS private key to /tmp/gh-aw/proxy-logs/proxy-tls/server.key with root-only permissions (mode 600). Including /tmp/gh-aw/proxy-logs/ in the agent artifact upload caused actions/upload-artifact to fail with EACCES, leaving the artifact missing and cascading into a detection job failure ("Prompt file not found").

Changes

  • compiler_difc_proxy.go: difcProxyLogPaths() now returns an exclusion entry !/tmp/gh-aw/proxy-logs/proxy-tls/ alongside the include path, keeping proxy container logs while dropping the unreadable (and sensitive) TLS key material.

  • step_order_validation.go: isPathScannedBySecretRedaction() now treats !-prefixed exclusion patterns as safe — they're never uploaded, so they don't need secret redaction coverage. Without this, the compiler rejected the new exclusion entry as an unscanned path.

  • 23 lock files recompiled for workflows that use DIFC guard policies (min-integrity).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/access_log.go /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/actionlint.go amer�� -analyzer.lock.yml r.lock.yml .yml (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ed-approved.lock-alF re-diagram.lock./var/lib/waagent nce.lock.yml amer�� -analyzer.lock.yml r.lock.yml .yml (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json a5d14c85004981d0GOMOD 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --git-dir go /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ogOOgsHoxcKHcseOrev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GOMOD ache/node/24.14.0/x64/bin/node GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile t-36�� bility_SameInputSameOutput3216105581/001/stability-test.md -trimpath /usr/bin/git -p main -lang=go1.25 git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /tmp/gh-aw/aw-master.patch git /usr/bin/git --git-dir go /usr/bin/gh git rev-�� --show-toplevel gh /usr/bin/git view 12345 /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha ithub/workflows rev-parse /usr/bin/git ithub/workflows (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/blog-auditor.md x_amd64/compile /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/artifacts-summary.md -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git -C /tmp/gh-aw-test-runs/20260325-110018-35047/test-1993729186 rev-parse /usr/bin/git @{u} -trimpath 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -bool resolved$ /usr/bin/git -errorsas -ifaceassert -nilfunc git add .github/workflows/test.md -tests /usr/bin/git /tmp/go-build655git -trimpath 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE cfg git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE o fix."; \ exitGO111MODULE env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --cGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path /bin/sh (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/go-build910402786/b443/_pkg_.a -trimpath /usr/bin/git -p main -lang=go1.25 git rev-�� --show-toplevel -dwarf=false /usr/bin/git go1.25.0 -c=4 -nolocalimports git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/audit-workflows.md rev-parse /usr/bin/git che/go-build/f9/git **/*.cjs 64/bin/go git add .github/workflows/test.md /opt/hostedtoolcrev-parse /usr/bin/git /tmp/go-build655git -trimpath 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha 402786/b434/_pkg_.a tmain.go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git .github/workflowgit /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --git-dir go /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -p -c cal/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha ithub/workflows --always /usr/bin/git (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --local user.email ache/node/24.14.0/x64/bin/bash (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility ithub/workflows proxy-logs /usr/local/bin/b-f (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha get g/workflow/test-yaml-import.lockowner=github 64/bin/bash ithub/workflows/git ithub/workflows/-C ithub/workflows//home/REDACTED/work/gh-aw/gh-aw/.github/workflows ithub/workflows/config ithu�� ithub/workflows/remote.origin.url ithub/workflows/hourly-ci-cleaner.lock.yml ithub/workflows/smoke-codex.lock.yml ithub/workflows/infocmp ithub/workflows/-1 ithub/workflows/xterm-color ithub/workflows/ubuntu-image-anaconfig (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha ithub/workflows (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 999 GO111MODULE cfg GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linuf() { test "$1" = get && echo "******"; }; f get (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 999 git /usr/bin/git --get remote.origin.urrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/infocmp--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 0018-35047/test-1993729186 GO111MODULE cfg l GOMOD GOMODCACHE go env k/gh-aw/gh-aw/.github/workflows GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git --git-dir go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp --git-dir go /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE kR/yyjxJESSHc3089fRgrZr/aHz0DOVUCYY4uw-nj1ib (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path 561242/b068/_pkgGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/actions/env GOMODCACHE go env 5ZHK/kucq2A0Qw27GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 561242/b068/impoGOPROXY (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE 561242/b436/impo-buildtags /hom�� che/go-build/c4/-errorsas **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/tmp/gh-aw-test-runs/20260325-110018-35047/test-1685802446/.github/workflows /opt/hostedtoolcconfig (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ithub/workflows config x_amd64/vet l commit.gpgsign bash x_amd64/vet -C stall-gh-aw.sh t--ignore-path rev-parse x_amd64/vet ithub/workflows (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_with_repos_array_c2496687712/001 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel go /usr/bin/git K-4S/pBOmI6z1iUZgit GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel 032214/b084/importcfg /usr/bin/git tructions-test-2git k/gh-aw/gh-aw/pkrev-parse /home/REDACTED/wor--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --che-p GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha lint:cjs GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c "prettier" --che-errorsas node 64/bin/go run format:cjs 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha run lint:cjs 64/bin/go GOSUMDB GOWORK run-script/lib/n-bool sh -c "prettier" --che-errorsas node 64/bin/go run format:cjs 64/bin/go go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --che-p GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha get --local repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } credential.helpe./gh-aw (http block)
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha ithub/workflows rev-parse $name) { hasDiscussionsEnabled } } l .yml domains.lock.yml/home/REDACTED/work/gh-aw/gh-aw/.github/workflows /usr/bin/gh api ithub/workflows -f /usr/bin/infocmp l owner=github -f infocmp (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha rt/assertion_com-errorsas rt/assertion_for-ifaceassert x_amd64/vet l commit.gpgsign repository(owneprettier x_amd64/vet api ithub/workflows --jq x_amd64/vet ithub/workflows (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ithout_min-integrity600245952/001 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json cfg /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git ithub-script/gitgit GO111MODULE /home/REDACTED/.lo--show-toplevel git (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE b/gh-aw/pkg/consenv GOMODCACHE go env GG8m/W0NlCmqVvzWGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 561242/b408/impoGOPROXY (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE b/gh-aw/pkg/consenv GOMODCACHE go env lHTD/6v_jb7UXK21GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 561242/b406/impoGOPROXY (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build910402786/b402/cli.test /tmp/go-build910402786/b402/cli.test -test.testlogfile=/tmp/go-build910402786/b402/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name tformat GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)

If you need me to access, download, or install something from one of these locations, you can either:

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

@pelikhan
fix: exclude proxy-tls directory from agent artifact upload to preven…
51bdac2 
…t EACCES error

The DIFC proxy creates a TLS private key at /tmp/gh-aw/proxy-logs/proxy-tls/server.key
with root-only permissions (mode 600). When the agent artifact tried to upload
/tmp/gh-aw/proxy-logs/, it failed with EACCES because the runner could not read
this file, preventing the detection job from downloading the agent artifact.

Fix: Add !/tmp/gh-aw/proxy-logs/proxy-tls/ exclusion pattern to difcProxyLogPaths()
so the TLS key/cert directory is never included in the artifact upload. The TLS
private key is ephemeral, not needed for debugging, and should not be uploaded.

Also update isPathScannedBySecretRedaction() in the step order validator to
recognize exclusion patterns (paths starting with !) as valid - they are not
themselves uploaded, so they don't need to be covered by secret redaction.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/d543c36a-17a4-4716-ad17-fb5149cabfc1
Copilot AI changed the title [WIP] Investigate issue in GitHub Actions workflow fix: exclude proxy-tls from agent artifact upload to prevent EACCES failure Mar 25, 2026
Copilot AI requested a review from pelikhan March 25, 2026 11:07
@pelikhan pelikhan marked this pull request as ready for review March 25, 2026 11:20
Copilot AI review requested due to automatic review settings March 25, 2026 11:20
@pelikhan pelikhan merged commit c684c91 into main Mar 25, 2026
@pelikhan pelikhan deleted the copilot/investigate-issue branch March 25, 2026 11:20
Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes agent artifact upload failures caused by unreadable (and sensitive) DIFC proxy TLS key material under /tmp/gh-aw/proxy-logs/proxy-tls/ by excluding that directory from uploads, while updating validation to allow exclusion patterns.

Changes:

  • Add an upload-artifact exclusion pattern for /tmp/gh-aw/proxy-logs/proxy-tls/ while keeping /tmp/gh-aw/proxy-logs/ included.
  • Update secret-redaction path validation to treat !-prefixed artifact path exclusions as safe.
  • Recompile workflow lock files to include the new exclusion line in agent artifact upload paths.

Reviewed changes

Copilot reviewed 27 out of 27 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/workflow/compiler_difc_proxy.go Adds !/tmp/gh-aw/proxy-logs/proxy-tls/ to DIFC proxy artifact paths to avoid EACCES and avoid uploading TLS private key material.
pkg/workflow/compiler_difc_proxy_test.go Updates tests to assert both inclusion and exclusion paths are returned for DIFC proxy logs.
pkg/workflow/step_order_validation.go Treats !-prefixed artifact path exclusions as safe in secret-redaction coverage validation.
pkg/workflow/step_order_validation_test.go Adds test cases ensuring exclusion patterns are accepted by secret-redaction coverage validation.
.github/workflows/workflow-generator.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/weekly-issue-summary.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/weekly-blog-post-writer.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/stale-repo-identifier.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/smoke-agent-scoped-approved.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/smoke-agent-public-none.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/smoke-agent-public-approved.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/smoke-agent-all-none.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/smoke-agent-all-merged.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/scout.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/refiner.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/q.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/pr-triage-agent.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/plan.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/org-health-report.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/issue-triage-agent.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/issue-monster.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/issue-arborist.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/grumpy-reviewer.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/discussion-task-miner.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/daily-issues-report.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.
.github/workflows/contribution-check.lock.yml Adds the proxy-tls exclusion to the agent artifact upload path list.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

This was referenced Mar 25, 2026
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan