feat: add post cleanup script to actions/setup to erase /tmp/gh-aw/#22938
feat: add post cleanup script to actions/setup to erase /tmp/gh-aw/#22938
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/72f086e1-072b-4238-94cd-db1eaaca8353
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4290b5c1-bc7e-4de0-b83d-22929f106bad
|
🔧 Starting tool validation... Agent Container Smoke Test is checking the agent container tools... |
|
💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...] |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🔮 The ancient spirits stir... Smoke Codex awakens to divine this pull request... |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/28d17560-27f9-45e9-93b3-d67b3366236b
There was a problem hiding this comment.
Pull request overview
Adds a post-job cleanup step to the actions/setup GitHub Action by converting it from a composite action to a JavaScript action, enabling runs.post to remove /tmp/gh-aw after the job completes.
Changes:
- Convert
actions/setupfromusing: compositeto a Node-based action withmainandpostentrypoints. - Add
index.jswrapper to invoke the existingsetup.sh. - Add
post.jsto delete/tmp/gh-awin the post-job phase.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| actions/setup/action.yml | Switches the action runtime to Node and wires up main/post scripts. |
| actions/setup/index.js | Spawns setup.sh and normalizes one input env var. |
| actions/setup/post.js | Best-effort post-job deletion of /tmp/gh-aw. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const result = spawnSync(path.join(__dirname, "setup.sh"), [], { | ||
| stdio: "inherit", | ||
| env: Object.assign({}, process.env, { | ||
| INPUT_SAFE_OUTPUT_CUSTOM_TOKENS: safeOutputCustomTokens, | ||
| }), | ||
| }); |
There was a problem hiding this comment.
spawnSync is executing setup.sh directly. This relies on setup.sh having the executable bit set and being runnable on the host; previously the composite action (and test-setup-local.sh) invoked it via bash, which works even if the script isn't executable. To avoid EACCES failures and keep behavior consistent, invoke bash explicitly (e.g., spawn bash with the script path).
| process.env["INPUT_SAFE_OUTPUT_CUSTOM_TOKENS"] || | ||
| process.env["INPUT_SAFE-OUTPUT-CUSTOM-TOKENS"] || | ||
| "false"; |
There was a problem hiding this comment.
The fallback lookup for process.env["INPUT_SAFE-OUTPUT-CUSTOM-TOKENS"] is likely dead code: GitHub Actions normalizes input env vars to use underscores, and environment variable names with hyphens are not generally settable/usable in shells. Consider removing this branch (or replace it with logic that normalizes from the actual input name) to reduce confusion.
| process.env["INPUT_SAFE_OUTPUT_CUSTOM_TOKENS"] || | |
| process.env["INPUT_SAFE-OUTPUT-CUSTOM-TOKENS"] || | |
| "false"; | |
| process.env["INPUT_SAFE_OUTPUT_CUSTOM_TOKENS"] || "false"; |
There was a problem hiding this comment.
Agreed — the hyphen-based env var lookup is unreachable since GitHub Actions always normalizes to underscores. Safe to remove that fallback branch.
📰 BREAKING: Report filed by Smoke Copilot
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@copilot review post step failure at https://github.com/github/gh-aw/actions/runs/23557022522/job/68586543761 |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #22915
search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none💥 [THE END] — Illustrated by Smoke Claude
| process.env["INPUT_SAFE-OUTPUT-CUSTOM-TOKENS"] || | ||
| "false"; | ||
|
|
||
| const result = spawnSync(path.join(__dirname, "setup.sh"), [], { |
There was a problem hiding this comment.
The spawnSync call looks good. Consider adding a timeout option to prevent the setup script from hanging indefinitely in edge cases.
actions/setup/post.js
Outdated
|
|
||
| try { | ||
| console.log(`Cleaning up ${tmpDir}...`); | ||
| fs.rmSync(tmpDir, { recursive: true, force: true }); |
There was a problem hiding this comment.
Good use of recursive: true and force: true for cleanup. The best-effort approach (logging but not failing) is appropriate for post-job cleanup.
There was a problem hiding this comment.
Agreed — the best-effort cleanup approach is the right call here. No need to fail the job over a temp dir cleanup. 🤖
📰 BREAKING: Report filed by Smoke Copilot
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Note
🔒 Integrity filter blocked 2 items
The following items were blocked because they don't meet the GitHub integrity level.
- #22969
search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved". - #22938
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none💥 [THE END] — Illustrated by Smoke Claude
This comment has been minimized.
This comment has been minimized.
|
@copilot The cleanup session always fails with permissions issues. Post job cleanup. |
Files written by Docker containers or privileged scripts during the job are owned by root, causing fs.rmSync to fail with EACCES. GitHub-hosted runners have passwordless sudo, so try `sudo rm -rf` first and fall back to fs.rmSync for self-hosted runners without sudo. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4905a7a0-58f6-4f2f-b856-8cae909dc609 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in d92b019. The files in |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
🧪 Smoke Test Results — Run 23566025048
Overall:
|
There was a problem hiding this comment.
Reviewed the post-cleanup addition. Two inline notes on actions/setup/index.js: (1) invoke bash explicitly in spawnSync to avoid executable-bit issues; (2) the hyphenated INPUT_SAFE-OUTPUT-CUSTOM-TOKENS fallback is unreachable and can be removed. The core logic and the new post.js cleanup approach look good.
📰 BREAKING: Report filed by Smoke Copilot
| process.env["INPUT_SAFE-OUTPUT-CUSTOM-TOKENS"] || | ||
| "false"; | ||
|
|
||
| const result = spawnSync(path.join(__dirname, "setup.sh"), [], { |
There was a problem hiding this comment.
Consider invoking bash explicitly instead of relying on the executable bit of setup.sh. This avoids potential EACCES errors if the script is not marked executable in the checkout:
spawnSync("bash", [path.join(__dirname, "setup.sh")], { ... })| // normalise the safe-output-custom-tokens input to ensure setup.sh finds it. | ||
| const safeOutputCustomTokens = | ||
| process.env["INPUT_SAFE_OUTPUT_CUSTOM_TOKENS"] || | ||
| process.env["INPUT_SAFE-OUTPUT-CUSTOM-TOKENS"] || |
There was a problem hiding this comment.
The INPUT_SAFE-OUTPUT-CUSTOM-TOKENS fallback (with hyphens) is unreachable in practice — GitHub Actions always normalizes input names to uppercase with underscores. The branch can be safely removed to simplify the code.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Smoke Test Run 23566025032
Overall: PARTIAL — 16 passed, 2 skipped, 0 failed
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
| @@ -0,0 +1,5 @@ | |||
| --- | |||
| "gh-aw": patch | |||
| --- | |||
There was a problem hiding this comment.
Minor nit: the changeset description could mention that post-step cleanup requires the actions/setup directory to be included in sparse-checkout so the post script is available at runtime.
| .github | ||
| .agents | ||
| actions/setup | ||
| sparse-checkout-cone-mode: true |
There was a problem hiding this comment.
Good addition — including actions/setup in sparse-checkout ensures the post.js script is available when GitHub Actions invokes the post step after the main job completes.
|
Smoke test summary (Codex, run 23566025025) Merged PRs:
Results: GitHub MCP ✅ | Serena ✅ | Playwright ✅ | Web Fetch ✅ | File Write ✅ | Bash ✅ | Build ✅
|
Summary
Adds a
postscript to theactions/setupaction that erases the/tmp/gh-aw/directory after the job completes, using theruns.postlifecycle supported by JavaScript actions.Changes
action.ymlusing: compositetousing: node20to enable theruns.postlifecyclemain: 'index.js',post: 'post.js', andpost-if: 'always()'so the cleanup runs regardless of job outcomeindex.js(new)setup.shviachild_process.spawnSyncINPUT_SAFE_OUTPUT_CUSTOM_TOKENSto handle both hyphen and underscore forms of the env var namepost.js(new)runs.post/tmp/gh-aw/usingfs.rmSyncwith{ recursive: true, force: true }Notes
@actions/coreis not used since the package lives injs/node_modules/(a subdirectory) and is not in the module resolution path for files at the action root; built-inconsoleandprocessare equivalent for this minimal wrapper patternnode_modules/flatted(Go files inside npm deps) are unrelated to these changes✨ PR Review Safe Output Test - Run 23556804478
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".To allow these resources, lower
min-integrityin your GitHub frontmatter:Changeset
actions/setupto remove/tmp/gh-aw/and updated checkout handling so setup action runtime files remain available for post-step execution.✨ PR Review Safe Output Test - Run 23561682947
✨ PR Review Safe Output Test - Run 23563803890
Note
🔒 Integrity filter blocked 2 items
The following items were blocked because they don't meet the GitHub integrity level.
search_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".To allow these resources, lower
min-integrityin your GitHub frontmatter:✨ PR Review Safe Output Test - Run 23566025032