fix: use Python venv for pip installs in shared Python workflows by Copilot · Pull Request #24053 · github/gh-aw

Copilot · 2026-04-02T10:38:52Z

pip install --user fails on newer Debian/Ubuntu runners with PEP 668's externally-managed-environment error, breaking any workflow that imports the shared Python setup files.

Changes

shared/python-dataviz.md, shared/python-nlp.md, shared/trending-charts-simple.md: replace pip install --user with a proper Python virtual environment (python3 -m venv /tmp/gh-aw/venv) for package isolation
18 lock files regenerated via make recompile

- pip install --user --quiet numpy pandas matplotlib seaborn scipy
+ if [ ! -d /tmp/gh-aw/venv ]; then
+   python3 -m venv /tmp/gh-aw/venv
+ fi
+ echo "/tmp/gh-aw/venv/bin" >> "$GITHUB_PATH"
+ /tmp/gh-aw/venv/bin/pip install --quiet numpy pandas matplotlib seaborn scipy

Using a virtual environment avoids bypassing the PEP 668 OS-level protection (--break-system-packages) and provides proper package isolation without system-level side effects. The venv is created idempotently so workflows importing both python-dataviz.md and python-nlp.md safely share the same venv. The venv bin directory is added to $GITHUB_PATH so subsequent steps and the AI agent can use python3/pip transparently.

Fixes daily-issues-report and all other workflows importing these shared files.

…n shared workflows Agent-Logs-Url: https://github.com/github/gh-aw/sessions/5fb6f23a-cf0a-41dd-ad53-e7b90ff6422d Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

pelikhan · 2026-04-02T10:53:32Z

@copilot do a security review of this change

…packages Agent-Logs-Url: https://github.com/github/gh-aw/sessions/d9f121ed-8b03-4036-a6b7-f8973e7a2c04 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-04-02T11:09:07Z

@copilot do a security review of this change

Security review findings (commit 70b1d04):

--break-system-packages concerns:

It bypasses PEP 668, an intentional OS security mechanism that prevents modifying system-managed Python packages
It could allow a compromised/typosquatted package from PyPI to shadow critical system utilities (e.g., if a malicious package shadows python3 tools in the system path)
While ephemeral runners limit persistent damage, the principle of least privilege suggests we shouldn't bypass OS protections unnecessarily

Fix applied: Replaced --break-system-packages with a proper Python virtual environment (python3 -m venv /tmp/gh-aw/venv) in all three shared files. The venv:

Installs packages into an isolated directory with no system-level side effects
Is created idempotently so workflows importing both python-dataviz.md and python-nlp.md share the same venv without conflict
Adds /tmp/gh-aw/venv/bin to $GITHUB_PATH so the AI agent's subsequent bash commands can use python3/pip transparently

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 47Z8c88/mZSEHzTJ-C (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha b-mcp-structural-analysis.lock.yml --local it http.https://git/opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/tools/linux64/java/bin/java (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility /workflows/daily-repo-chronicle.lock.yml committer.email me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha b-mcp-structural-analysis.lock.yml :latest repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha d/python-dataviz.md --local $name) { hasDiscussionsEnabled } } user.email (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Copilot

Pull request overview

Updates shared GitHub Actions Python setup to avoid pip install --user failures on newer Debian/Ubuntu runners (PEP 668) by installing dependencies into a dedicated virtual environment and ensuring workflows have a known Python runtime.

Changes:

Switched shared Python install steps from pip install --user to a reusable venv at /tmp/gh-aw/venv and added the venv bin directory to $GITHUB_PATH.
Regenerated workflow lock files to use the venv-based installs and added actions/setup-python (Python 3.12) where needed.
Updated all affected scientific/NLP install and verification commands to run from the venv interpreter.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/shared/python-dataviz.md	Install scientific libs into `/tmp/gh-aw/venv` and verify using venv Python.
.github/workflows/shared/python-nlp.md	Install NLP libs into `/tmp/gh-aw/venv`, download NLTK corpora using venv Python.
.github/workflows/shared/trending-charts-simple.md	Use `/tmp/gh-aw/venv` for trending chart dependencies and expose venv on PATH.
.github/workflows/weekly-issue-summary.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/stale-repo-identifier.lock.yml	Add setup-python and switch scientific installs (including trending section) to venv.
.github/workflows/python-data-charts.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/prompt-clustering-analysis.lock.yml	Add setup-python and switch NLP/scientific installs to venv.
.github/workflows/portfolio-analyst.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/org-health-report.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/github-mcp-structural-analysis.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/daily-repo-chronicle.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/daily-performance-summary.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/daily-news.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/daily-issues-report.lock.yml	Add setup-python and switch scientific + NLP installs to venv.
.github/workflows/daily-integrity-analysis.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/daily-firewall-report.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/daily-copilot-token-report.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/daily-code-metrics.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/copilot-session-insights.lock.yml	Add setup-python and switch scientific installs to venv.
.github/workflows/copilot-pr-nlp-analysis.lock.yml	Add setup-python and switch scientific + NLP installs to venv.
.github/workflows/audit-workflows.lock.yml	Add setup-python and switch scientific installs to venv.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Initial plan

5bfae66

Copilot AI assigned Copilot and pelikhan Apr 2, 2026

Copilot started work on behalf of pelikhan April 2, 2026 10:38 View session

Copilot AI linked an issue Apr 2, 2026 that may be closed by this pull request

[aw] Daily Issues Report Generator failed #24045

Closed

fix: replace pip install --user with --break-system-packages in Pytho…

e978345

…n shared workflows Agent-Logs-Url: https://github.com/github/gh-aw/sessions/5fb6f23a-cf0a-41dd-ad53-e7b90ff6422d Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Fix daily issues report generator workflow failure~~ fix: use --break-system-packages for pip installs in shared Python workflows Apr 2, 2026

Copilot AI requested a review from pelikhan April 2, 2026 10:50

Copilot finished work on behalf of pelikhan April 2, 2026 10:50

Copilot started work on behalf of pelikhan April 2, 2026 10:58 View session

fix: use Python venv for package isolation instead of --break-system-…

70b1d04

…packages Agent-Logs-Url: https://github.com/github/gh-aw/sessions/d9f121ed-8b03-4036-a6b7-f8973e7a2c04 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI changed the title ~~fix: use --break-system-packages for pip installs in shared Python workflows~~ fix: use Python venv for pip installs in shared Python workflows Apr 2, 2026

Copilot finished work on behalf of pelikhan April 2, 2026 11:09

pelikhan marked this pull request as ready for review April 2, 2026 11:11

Copilot AI review requested due to automatic review settings April 2, 2026 11:11

pelikhan merged commit 5b8cb14 into main Apr 2, 2026
52 checks passed

pelikhan deleted the copilot/debug-daily-issues-report-generator branch April 2, 2026 11:11

Copilot started reviewing on behalf of pelikhan April 2, 2026 11:12 View session

Copilot AI approved these changes Apr 2, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: use Python venv for pip installs in shared Python workflows#24053

fix: use Python venv for pip installs in shared Python workflows#24053
pelikhan merged 3 commits intomainfrom
copilot/debug-daily-issues-report-generator

Copilot AI commented Apr 2, 2026 •

edited

Loading

Uh oh!

pelikhan commented Apr 2, 2026

Uh oh!

Copilot AI commented Apr 2, 2026 •

edited

Loading

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Uh oh!

pelikhan commented Apr 2, 2026

Uh oh!

Copilot AI commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Apr 2, 2026 •

edited

Loading

Copilot AI commented Apr 2, 2026 •

edited

Loading