Conversation
…s summary Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4b54fad3-d87a-439d-953a-73ebb48c32c6 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Switches the ci-doctor agent workflow from the Copilot engine with a pinned model to the codex engine, and updates the reporting templates to require a progressive-disclosure Analysis Steps section in every report.
Changes:
- Updated workflow frontmatter to use
engine: codex(dropping the explicit model override). - Added required collapsible Analysis Steps sections to both the PR diagnostic comment and investigation issue templates, plus checklist/guidelines reinforcement.
- Recompiled the generated lock workflow to run via Codex CLI (including new secret validation and MCP configuration changes).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/workflows/ci-doctor.md | Switches engine to codex and enforces an Analysis Steps <details> section in report templates/guidelines. |
| .github/workflows/ci-doctor.lock.yml | Regenerates the compiled workflow to install/run Codex CLI, update secret validation, and adjust MCP gateway/config wiring. |
Comments suppressed due to low confidence (1)
.github/workflows/ci-doctor.lock.yml:1240
- Same issue as the agent job:
OPENAI_API_KEYis being populated via${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}, which will override a distinctOPENAI_API_KEYifCODEX_API_KEYis present. SetOPENAI_API_KEYfromsecrets.OPENAI_API_KEYdirectly (and keepCODEX_API_KEYseparate) so the intended credential is used.
OPENAI_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}
RUST_LOG: trace,hyper_util=info,mio=info,reqwest=info,os_info=info,codex_otel=warn,codex_core=debug,ocodex_exec=debug
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| startup_timeout_sec = 120 | ||
| tool_timeout_sec = 60 | ||
| container = "ghcr.io/github/github-mcp-server:v0.32.0" | ||
| env = { "GITHUB_HOST" = "$GITHUB_SERVER_URL", "GITHUB_PERSONAL_ACCESS_TOKEN" = "$GH_AW_GITHUB_TOKEN", "GITHUB_READ_ONLY" = "1", "GITHUB_TOOLSETS" = "context,repos,issues,pull_requests,actions" } |
There was a problem hiding this comment.
In the generated config.toml, the GitHub MCP server token is set from $GH_AW_GITHUB_TOKEN, but that variable is not exported in this step (the step env provides GITHUB_MCP_SERVER_TOKEN instead). As written, the token will expand to an empty string and the GitHub MCP server will fail to authenticate. Use $GITHUB_MCP_SERVER_TOKEN here, or export GH_AW_GITHUB_TOKEN in the Start MCP Gateway step env before writing the TOML.
| env = { "GITHUB_HOST" = "$GITHUB_SERVER_URL", "GITHUB_PERSONAL_ACCESS_TOKEN" = "$GH_AW_GITHUB_TOKEN", "GITHUB_READ_ONLY" = "1", "GITHUB_TOOLSETS" = "context,repos,issues,pull_requests,actions" } | |
| env = { "GITHUB_HOST" = "$GITHUB_SERVER_URL", "GITHUB_PERSONAL_ACCESS_TOKEN" = "$GITHUB_MCP_SERVER_TOKEN", "GITHUB_READ_ONLY" = "1", "GITHUB_TOOLSETS" = "context,repos,issues,pull_requests,actions" } |
| "container": "ghcr.io/github/github-mcp-server:v0.32.0", | ||
| "env": { | ||
| "GITHUB_HOST": "\${GITHUB_SERVER_URL}", | ||
| "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}", | ||
| "GITHUB_HOST": "$GITHUB_SERVER_URL", | ||
| "GITHUB_PERSONAL_ACCESS_TOKEN": "$GITHUB_MCP_SERVER_TOKEN", | ||
| "GITHUB_READ_ONLY": "1", |
There was a problem hiding this comment.
The MCP gateway JSON config heredoc is unquoted, so $GITHUB_MCP_SERVER_TOKEN and $GH_AW_SAFE_OUTPUTS_API_KEY will be expanded into the generated JSON that gets piped into start_mcp_gateway.sh. Keeping secrets as literal values in generated config increases the chance of accidental logging/collection. Prefer leaving placeholders (e.g., \${GITHUB_MCP_SERVER_TOKEN}) and letting the gateway resolve them from environment variables instead of expanding them in the shell.
| OPENAI_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }} | ||
| RUST_LOG: trace,hyper_util=info,mio=info,reqwest=info,os_info=info,codex_otel=warn,codex_core=debug,ocodex_exec=debug |
There was a problem hiding this comment.
OPENAI_API_KEY is set to ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}. If both secrets exist (and differ), this will overwrite OPENAI_API_KEY with the Codex key value, which can break tooling that reads OPENAI_API_KEY specifically. Consider setting OPENAI_API_KEY from secrets.OPENAI_API_KEY (and CODEX_API_KEY from secrets.CODEX_API_KEY) while relying on the secret-validation step to ensure at least one is present.
This issue also appears on line 1239 of the same file.
| COPILOT_MODEL: gpt-5.1-codex-mini | ||
| CODEX_API_KEY: ${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }} | ||
| CODEX_HOME: /tmp/gh-aw/mcp-config | ||
| GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/config.toml |
There was a problem hiding this comment.
The detection job sets GH_AW_MCP_CONFIG to /tmp/gh-aw/mcp-config/config.toml, but this job never creates that file (and it runs on a fresh runner, so it won’t exist unless generated in this job or downloaded as an artifact). This is likely to make codex exec fail at startup. Either generate a minimal MCP config in the detection job, download/copy the config into place, or unset GH_AW_MCP_CONFIG for detection if MCP tools aren’t needed.
| GH_AW_MCP_CONFIG: /tmp/gh-aw/mcp-config/config.toml |
ci-doctorwas usingengine: copilotwith a pinnedmodel: gpt-5.1-codex-mini. Switch to thecodexengine directly (no model override needed) and require every report to include a collapsible Analysis Steps section so readers get a progressive-disclosure trail of the investigation.Changes
engine: { id: copilot, model: gpt-5.1-codex-mini }→engine: codexWarning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw(http block)https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b/usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha(http block)https://api.github.com/repos/github/gh-aw/usr/bin/gh gh api /repos/github/gh-aw --jq .visibility(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha(http block)https://api.github.com/repos/githubnext/agentics/git/ref/tags//usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha(http block)If you need me to access, download, or install something from one of these locations, you can either:
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.