Skip to content

fix: pass GH_AW_SAFE_OUTPUTS to safe-outputs MCP HTTP server startup step#24126

Merged
pelikhan merged 3 commits intomainfrom
copilot/fix-empty-outputs-jsonl
Apr 2, 2026
Merged

fix: pass GH_AW_SAFE_OUTPUTS to safe-outputs MCP HTTP server startup step#24126
pelikhan merged 3 commits intomainfrom
copilot/fix-empty-outputs-jsonl

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 2, 2026
edited
Loading

The safe-outputs MCP HTTP server was returning {"result":"success"} to tool calls but never persisting items to outputs.jsonl, causing agent_output.json to be {"items":[]} and all downstream safe-output jobs to be skipped.

Root Cause

The "Start Safe Outputs MCP HTTP Server" step in compiled workflow YAML was missing GH_AW_SAFE_OUTPUTS from its env: block. The Node.js server process fell back to constructing the output path from process.env.RUNNER_TEMP (hardcoded default in safe_outputs_config.cjs), but RUNNER_TEMP is not automatically exported to background processes started from a GitHub Actions run: block — so writes silently succeeded to the wrong path while ingestion steps read from ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}.

Changes Made

  • pkg/workflow/mcp_setup_generator.go: Added GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }} to the "Start Safe Outputs MCP HTTP Server" step's env: block and export GH_AW_SAFE_OUTPUTS to its run: script, matching the pattern used by every other step that consumes this variable.
  • pkg/workflow/mcp_setup_generator_test.go: Added regression test TestSafeOutputsHTTPServerPassesOutputEnvVar that compiles a workflow with safe-outputs and asserts GH_AW_SAFE_OUTPUTS is present in the startup step's env block.
  • All 179 .lock.yml workflow files recompiled via make recompile.

Testing

  • ✅ New regression test TestSafeOutputsHTTPServerPassesOutputEnvVar passes
  • ✅ All unit tests pass (go test ./pkg/workflow/)
  • ✅ All 179 workflow lock files recompiled successfully
  • ✅ Lint passes

Copilot AI linked an issue Apr 2, 2026 that may be closed by this pull request
Safe outputs MCP server returns success but outputs.jsonl is empty (v0.65.5) #24125
Closed
Copilot stopped work on behalf of pelikhan due to an error April 2, 2026 15:13
The session was cancelled by the user.
Copilot AI requested a review from pelikhan April 2, 2026 15:13
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 2, 2026

@copilot keep working

@pelikhan
fix: pass GH_AW_SAFE_OUTPUTS to safe-outputs MCP server startup step
6582b4f 
The safe-outputs HTTP server was not receiving the GH_AW_SAFE_OUTPUTS
environment variable, causing it to fall back to constructing the
outputs.jsonl path from process.env.RUNNER_TEMP instead of using the
exact path established by the set-runtime-paths step.

This meant tool calls returned {"result":"success"} but wrote to a path
that downstream ingestion steps were not reading from, resulting in an
empty agent_output.json.

Fix: add GH_AW_SAFE_OUTPUTS to the "Start Safe Outputs MCP HTTP Server"
step env block (and export list) so the Node.js server process inherits
the correct file path that all other steps agree on.

Also adds a regression test TestSafeOutputsHTTPServerPassesOutputEnvVar
in mcp_setup_generator_test.go and recompiles all 179 workflow lock files.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/49174482-0622-414b-a819-bfdfa874b971

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 2, 2026
edited
Loading

@copilot keep working

Done. Committed in 6582b4f.

Root cause: The "Start Safe Outputs MCP HTTP Server" step was missing GH_AW_SAFE_OUTPUTS in its env block. The Node.js server process fell back to ${process.env.RUNNER_TEMP}/gh-aw/safeoutputs/outputs.jsonl (hardcoded default in safe_outputs_config.cjs) but RUNNER_TEMP wasn't exported to the subprocess, so the path was empty — writes silently succeeded to /gh-aw/safeoutputs/outputs.jsonl while ingestion read from ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}.

Fix: Added GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }} and export GH_AW_SAFE_OUTPUTS to the startup step in pkg/workflow/mcp_setup_generator.go, recompiled all 179 lock files, and added a regression test TestSafeOutputsHTTPServerPassesOutputEnvVar.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw on cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 784790/b005/vet.js/fuzz_sanitize_output_harness.cjs cfg git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw on cfg git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 784790/b004/vet.js/fuzz_sanitize_output_harness.cjs cfg git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -bool -buildtags /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build445784790/b226/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/asm re --log-level=egit (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha om/pmezard/go-difflib@v1.0.0/difflib/difflib.go cfg cfg rkflow/js/**/*.jgit (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha on&#39; --ignore-pat-errorsas (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git .js&#39; --ignore-pagit --local x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git get --local 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha se 784790/b074/vet.cfg 784790/b214/vet.cfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git &#39;**/*.ts&#39; &#39;**/*.git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha echo &#34;��� JSON files formatted&#34; (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha blob 2c2cbde0789ecf61ad41395b143770875634a94e:go.mod 784790/b211/vet.cfg ignore-path ../.git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /tmp/go-build1800210296/b346/_pkg_.a -trimpath /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -p github.com/githurev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build445784790/b111/vet.cfg 784790/b205/vet.cfg -c=4 -nolocalimports -importcfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --format %(refname) /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet --merged 2c2cbde0789ecf61rev-parse (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha extensions.objectformat (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git &#34;prettier&#34; --wrinode (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -unreachable=falgit /tmp/go-build445-C (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 784790/b105/vet.js/fuzz_sanitize_output_harness.cjs ache/go/1.25.0/x64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 784790/b247/vet.-C ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha echo &#34;Syncing actions-lock.json from .github/aw to pkg/workflow/data/action_pins.json...&#34; (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --local cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --local cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel -tests /usr/bin/git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet $name) { hasDiscussionsEnabled } } --write scripts/**/*.js ache/go/1.25.0/xgraphql git rev-�� --show-toplevel (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Fix issue with empty outputs.jsonl in MCP server fix: pass GH_AW_SAFE_OUTPUTS to safe-outputs MCP HTTP server startup step Apr 2, 2026
@pelikhan pelikhan marked this pull request as ready for review April 2, 2026 15:27
Copilot AI review requested due to automatic review settings April 2, 2026 15:27
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes safe-outputs persistence by ensuring the Safe Outputs MCP HTTP server process receives the GH_AW_SAFE_OUTPUTS path, so it writes outputs.jsonl to the same location that downstream ingestion reads from (preventing empty agent_output.json and skipped jobs).

Changes:

  • Pass GH_AW_SAFE_OUTPUTS into the “Start Safe Outputs MCP HTTP Server” step’s env: and export it in the step’s run: script.
  • Add a regression unit test asserting the compiled workflow includes the variable for the server startup step.
  • Recompile workflow lock files (*.lock.yml) to include the corrected env/export in generated workflows.

Reviewed changes

Copilot reviewed 175 out of 175 changed files in this pull request and generated 1 comment.

File Description
pkg/workflow/mcp_setup_generator.go Adds GH_AW_SAFE_OUTPUTS to the safe-outputs server startup step environment and exports it for the background Node process.
pkg/workflow/mcp_setup_generator_test.go Adds a regression test to catch missing GH_AW_SAFE_OUTPUTS wiring in generated YAML.
.github/workflows/*.lock.yml (recompiled) Updates compiled workflows so the safe-outputs MCP server startup step receives GH_AW_SAFE_OUTPUTS.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pkg/workflow/mcp_setup_generator_test.go
Comment on lines +577 to +586
// Verify the "Start Safe Outputs MCP HTTP Server" step exists
assert.Contains(t, yamlStr, "Start Safe Outputs MCP HTTP Server",
"Should have safe outputs server startup step")

// The critical fix: GH_AW_SAFE_OUTPUTS must be in the startup step's env block
// so the Node.js server process writes outputs.jsonl to the exact path that the
// ingestion step reads from.
assert.Contains(t, yamlStr,
"GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}",
"Start Safe Outputs step must include GH_AW_SAFE_OUTPUTS in env block so the server writes to the correct path")
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regression test currently asserts that GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }} appears anywhere in the compiled YAML. That string is also present in other steps (e.g., output ingestion/copy steps), so this assertion can pass even if the Start Safe Outputs MCP HTTP Server step’s env: block is missing GH_AW_SAFE_OUTPUTS (and export GH_AW_SAFE_OUTPUTS alone would still fall back because an empty env var is falsy in Node). Consider tightening the test to scope the assertion to the startup step (e.g., extract just that step block and inspect its env: section, or use a regex anchored between the step name and its env: block).

Copilot uses AI. Check for mistakes.
@pelikhan pelikhan merged commit 4fee614 into main Apr 2, 2026
51 checks passed
@pelikhan pelikhan deleted the copilot/fix-empty-outputs-jsonl branch April 2, 2026 15:46
Copilot stopped work on behalf of pelikhan due to an error April 2, 2026 16:03
Job was cancelled
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Safe outputs MCP server returns success but outputs.jsonl is empty (v0.65.5)

3 participants

@pelikhan