feat: add object form support for observability.otlp.headers

[Copilot]

Summary

Adds support for using a map/object form for the observability.otlp.headers field in workflow frontmatter, similar to how env fields work. This makes it cleaner and easier to set header secrets individually.

The string form is now deprecated with a warning recommending the map form.

New map form (preferred)

observability:
  otlp:
    endpoint: ${{ secrets.OTLP_ENDPOINT }}
    headers:
      Authorization: ${{ secrets.OTLP_TOKEN }}
      X-Tenant: acme

Old string form (deprecated)

observability:
  otlp:
    endpoint: ${{ secrets.OTLP_ENDPOINT }}
    headers: "Authorization=${{ secrets.OTLP_TOKEN }},X-Tenant=acme"

Changes

• OTLPConfig.Headers changed from string to any to accept both forms
• New normalizeOTLPHeaders helper converts either form to the key=value,key=value format required by OTEL_EXPORTER_OTLP_HEADERS
• Deprecation warning emitted to stderr exactly once when string form is used — extractOTLPConfigFromRaw is now a pure helper returning a deprecated bool flag; the warning is emitted at a single call site in injectOTLPConfig
• WorkflowData.OTLPHeaders field added (set by injectOTLPConfig alongside OTLPEndpoint) so downstream code (buildMCPGatewayConfig) reads it directly instead of re-reading raw frontmatter, eliminating duplicate warnings
• JSON schema updated to accept headers as either string (deprecated) or object with string values
• Non-string values in the map are skipped with a debug log
• Improved OTLP header masking: the generated mask step now masks the entire headers string, each individual header value, and — for Bearer Authorization values — also the raw token after stripping the `****** scheme prefix so the token is redacted even when it appears without the scheme
• Comprehensive tests added for new behavior, including deprecated flag assertions and OTLPHeaders field coverage

---

Changeset

• Type: patch
• Description: Added support for defining observability.otlp.headers as an object in workflow frontmatter.

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• chatgpt.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "chatgpt.com"

See Network Configuration for more information.

Generated by Changeset Generator for issue #28524 · ◷

---

---

✨ PR Review Safe Output Test - Run 24945190957

💥 [THE END] — Illustrated by Smoke Claude · ● 190.1K · ◷

[pelikhan]

@copilot when generating mask for headers, mask authorization value (remove Bearer as well)

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 83/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	4 test functions (18 sub-cases)
✅ Design tests (behavioral contracts)	4 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	3 (75%)
Duplicate test clusters	0
Test inflation detected	⚠️ Yes — 258 test lines vs 62 production lines (~4.2:1)
🚨 Coding-guideline violations	0

---

Test Classification Details

View All Test Classifications (18 sub-cases across 4 functions)

Test	File	Classification	Notes
TestNormalizeOTLPHeaders (10 table rows)	pkg/workflow/observability_otlp_test.go:663	✅ Design	Covers nil, empty, string, map, unsupported type, non-string values — excellent edge case coverage
TestInjectOTLPConfig_MapHeaders (3 sub-tests)	pkg/workflow/observability_otlp_test.go:756	✅ Design	Verifies env var injection for map-form headers end-to-end; one assertion missing message
TestExtractOTLPConfigFromRaw_MapHeaders (3 table rows)	pkg/workflow/observability_otlp_test.go:830	✅ Design	Tests raw frontmatter extraction; includes empty-map edge case
TestObservabilityConfigParsing_MapHeaders (2 sub-tests)	pkg/workflow/observability_otlp_test.go:891	✅ Design	Verifies ParseFrontmatterConfig handles both map and string header forms

---

Minor Observations

i️ Test Inflation (4.2:1 ratio)

The test file grew 258 lines vs. 62 production lines. This mechanically triggers the inflation flag, but in this case the ratio is justified: the new feature supports two header formats (string and map[string]any) and each format needs its own parsing, extraction, and injection paths tested. The test coverage is genuinely comprehensive, not inflated.

i️ One assertion missing message (TestInjectOTLPConfig_MapHeaders)

assert.Contains(t, wd.Env, "OTEL_EXPORTER_OTLP_HEADERS: api-key=$\{\{ secrets.API_KEY }}")

This assertion is missing a descriptive message argument (project guideline: every assertion should have a context message). The other sub-tests in this function do include messages. Suggested fix:

assert.Contains(t, wd.Env, "OTEL_EXPORTER_OTLP_HEADERS: api-key=$\{\{ secrets.API_KEY }}",
    "single-header map form should produce correct env var")

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 4 test functions — unit (//go:build !integration) ✅ build tag present

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All 4 new test functions verify behavioral contracts with comprehensive multi-path coverage. No coding-guideline violations detected.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

References: §24943747509

🧪 Test quality analysis by Test Quality Sentinel · ● 384.5K · ◷

[github-actions]

✅ Test Quality Sentinel: 83/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 4 new test functions verify behavioral contracts across multiple input paths (nil, string, map, empty, unsupported types). One minor: a single assert.Contains call is missing a descriptive message argument.

[github-actions]

Commit pushed: 3695c43

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (341 new lines in pkg/) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/28524-support-object-form-for-otlp-headers.md

What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff
2. Complete the missing sections — add context the AI couldn't infer, refine the decision rationale, and list any additional alternatives you considered
3. Commit the finalized ADR to docs/adr/ on your branch
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-28524: Support Object Form for observability.otlp.headers

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

📋 Draft ADR summary

Decision: Extend OTLPConfig.Headers from string to any, accepting both a map form (preferred) and the legacy comma-separated string form (deprecated). A normalizeOTLPHeaders helper converts either form to the OTEL_EXPORTER_OTLP_HEADERS format. The string form emits a deprecation warning to stderr.

Key trade-offs captured:

• The any-typed Go field requires runtime type assertions at all read sites
• Two input forms must be maintained and tested during the deprecation window
• Map keys are sorted lexicographically for deterministic output

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 28524-support-object-form-for-otlp-headers.md for PR #28524).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §24943747500

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 144.9K · ◷

[Copilot]

Pull request overview

Adds support for configuring observability.otlp.headers as a map/object in workflow frontmatter (while keeping the legacy string form working but deprecated), and normalizes both forms into the key=value,key=value format required by OTEL_EXPORTER_OTLP_HEADERS.

Changes:

• Change OTLPConfig.Headers to any and add normalizeOTLPHeaders to accept either string or map forms (with deterministic ordering for maps).
• Emit a deprecation warning to stderr when the legacy string form is used.
• Update JSON schema, docs, and add/extend tests to cover map-form headers behavior.

Show a summary per file

File	Description
pkg/workflow/observability_otlp.go	Adds normalizeOTLPHeaders and uses it during raw extraction + env injection; prints deprecation warnings for string form.
pkg/workflow/observability_otlp_test.go	Updates parsing assertions to normalize headers; adds new tests for normalization, injection, and extraction with map headers.
pkg/workflow/mcp_gateway_config.go	Normalizes headers when building MCP gateway runtime config.
pkg/workflow/frontmatter_types.go	Updates OTLP headers type/docs to support both map and deprecated string forms.
pkg/parser/schemas/main_workflow_schema.json	Allows observability.otlp.headers to be either an object (string values) or a deprecated string.
docs/src/content/docs/reference/frontmatter-full.md	Documents the new oneOf formats for observability.otlp.headers.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 7/7 changed files
• Comments generated: 2

[Copilot]

extractOTLPConfigFromRaw now emits a deprecation warning to stderr when the string form is encountered. This function is called from multiple places (e.g., injectOTLPConfig and buildMCPGatewayConfig), so the same workflow can end up printing the warning multiple times. It also adds an unconditional stderr side effect to what was previously a pure extraction helper (which will make unit test runs noisy). Consider returning the deprecation flag (or an enum) from extractOTLPConfigFromRaw and emitting the warning once at a higher level (or adding an option to suppress/warn-once).

[Copilot]

buildMCPGatewayConfig re-reads OTLP headers via extractOTLPConfigFromRaw, which now prints the deprecation warning. Since injectOTLPConfig also calls extractOTLPConfigFromRaw during compilation, this can cause duplicate warnings for a single workflow. Additionally, the ParsedFrontmatter fallback ignores the returned deprecated flag, so if headers only come from ParsedFrontmatter (e.g., via imports) this path won’t emit the deprecation warning unless another stage already did. Consider sourcing the normalized headers from a single place (e.g., store normalized headers on WorkflowData alongside OTLPEndpoint) and emitting the warning once (warn-once).

[Copilot]

@copilot when generating mask for headers, mask authorization value (remove Bearer as well)

Done in c65a738. The mask step now:

1. Masks the entire OTEL_EXPORTER_OTLP_HEADERS string (existing)
2. Splits on commas and masks each individual header value
3. For ****** values, strips the ****** prefix and masks the raw token separately — so the token is redacted even when it appears without the scheme

[pelikhan]

@copilot review all comments

[Copilot]

@copilot review all comments

Addressed both reviewer comments in a7a7888:

1. Duplicate deprecation warnings (observability_otlp.go:169-173): extractOTLPConfigFromRaw is now a pure helper — it returns a deprecated bool flag instead of printing to stderr. The warning is emitted exactly once in injectOTLPConfig after resolving headers from all sources (raw frontmatter + ParsedFrontmatter fallback).

2. buildMCPGatewayConfig re-reading raw frontmatter (mcp_gateway_config.go:140-144): Added WorkflowData.OTLPHeaders field (set by injectOTLPConfig alongside OTLPEndpoint). buildMCPGatewayConfig now reads workflowData.OTLPHeaders directly — no second call to extractOTLPConfigFromRaw, no duplicate warning.

[pelikhan]

@copilot merge main, fix conflicts and recompile

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ,short (http block)
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name 64/pkg/tool/linux_amd64/compile remote.origin.urgit (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name h ../../../.prettierignore committer.email kflows/agentic-observability-kit.lock.yml (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel /usr/bin/gh /usr/bin/gh k/gh-aw/gh-aw/.ggit -f /usr/bin/git gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq /usr/bin/git k/gh-aw/gh-aw/.ggit config k/node_modules/.--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/gh --show-toplevel git /usr/bin/git gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/gh --show-toplevel git /usr/bin/git gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git 01 6029964/b001/_terev-parse repository(owne--show-toplevel git conf�� user.email l (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git .cfg --show-toplevel node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git .cfg --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse k/gh-aw/node_modules/.bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel infocmp /usr/bin/git xterm-color (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git k/gh-aw/gh-aw/.ggit ache/go/1.25.8/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git ithub-script/gitgit remote.origin.urrev-parse bject.type] | @t--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJavaScript1650118153/001/test-inlined-imports-enabled-with-body-cogit git /usr/bin/git --local gpg.program modules/@npmcli/--show-toplevel git rev-�� thImports3999958617/001 url /usr/bin/git js/**/*.json' --git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel H" || true && ecrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git Onlymin-integritbash on (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /home/REDACTED/go/--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv ithub/workflows --local ort-object-form-otlp-headers committer.email (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv get --local ck.yml commit.gpgsign (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv get --local me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } pull.rebase (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.name Test User /usr/bin/gh source-field-vargit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git 3313627/b416/vet.cfg --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --show-toplevel git /usr/bin/git /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git 7106677/b416/vet.cfg --show-toplevel git /usr/bin/git git rev-�� --show-toplevel ho "chain-continued" /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --show-toplevel gh /usr/bin/git /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ons-test555337431 339c7da61f07df1c2e0f528d /usr/bin/git k/gh-aw/gh-aw commit.gpgsign kflows/ai-modera--show-toplevel git -C /tmp/compile-instructions-test-3841401869/.github/workflows rev-parse om/other/repo.git js/**/*.json' --git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv DiscussionsEnabled } } docker /usr/bin/gh k/gh-aw/gh-aw/.ggit ghcr.io/github/srev-parse /usr/bin/git gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts /usr/bin/gh .artifacts[].namgit LsRemoteWithRealrev-parse /usr/sbin/ls gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv xterm-color git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /usr/bin/gh /usr/bin/git git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel /usr/bin/gh /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git DiscussionsEnabl--show-toplevel git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch submodules | head -n 10 (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git /workflows rev-parse 1/x64/lib/node_m--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/infocmp .js' --ignore-pagit config 1/x64/lib/node_m--show-toplevel infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/gh git rev-�� --show-toplevel gh /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /repos/actions/cgit --jq /usr/bin/git /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel sed /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --show-toplevel git /usr/bin/git /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/TestParseDefaultBranchFromLsRemoteWithRealGitbranch_with_hyphen2163682504/001 /tmp/TestParseDefaultBranchFromLsRemoteWithRealGitbranch_with_hyphen2163682504/002/work om/testorg/testrepo.git h ../../../.pretgit committer.name e-output-optimiz--show-toplevel git -C /tmp/TestGuardPolicyMinIntegrityOnlyrepos_only_without_min-integrity3090252581/001 remote 0"}} w/js/**/*.json' git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel docker /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel infocmp /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name validation_test.go ions_test.go s_test.go .go _test.go .go atte�� y_with_repos_array_c972177785/001 atting_test.go ache/go/1.25.8/x64/bin/gofmt ignore (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 erena-mcp-server:latest /usr/bin/git -f owner=github -f git -C mpiledOutput1598956879/001 rev-parse cal/bin/sh nore (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name rev-parse tions/node_modules/.bin/node (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 mLsRemoteWithRealGitcustom_branch699199484/001' 64/bin/node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name itcustom_branch699199484/002/work de_modules/.bin/node remote.origin.urgit (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 show /usr/local/sbin/stat (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name st.go kflows/smoke-agent-all-none.lock.yml ion_test.go (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 config 64/pkg/tool/linux_amd64/vet l (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name LsRemoteWithRealGitcustom_branch699199484/001' /usr/sbin/ls (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 config /usr/bin/git remote.origin.urgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name show ndor/bin/bash (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name config /usr/bin/ls l (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 rev-parse 64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path h ../../../.prettierignore gpg.program /sh (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 -j DiscussionsEnablrun infocmp -1 on' --ignore-pat--detach (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build1957071620/b404/cli.test /tmp/go-build1957071620/b404/cli.test -test.testlogfile=/tmp/go-build1957071620/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true committer.name (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /home/REDACTED/worgit rev-parse ash git rev-�� --show-toplevel infocmp /usr/bin/git OnlyCompiledOutpls (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git i-inference/git/ls git bject.type] | @t/tmp/gh-aw/aw-feature-branch.patch git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 8/001/noflag-a.md show k/gh-aw/gh-aw/node_modules/.bin/sh nore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git 1509-11476/test-git sh /usr/bin/git git rev-�� ch git /usr/bin/git user.name Test User /usr/lib/git-cor--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet k --show-toplevel git /usr/bin/git git rev-�� etup-go/git/ref/tags/v4 git bject.type] | @tsv --show-toplevel git .cfg git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows blob repository(owner: $owner, name:--ignore-path (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw -trimpath ode_modules/.bin/node -p github.com/githurev-parse -lang=go1.25 git 9108�� ithub/workflows show kflows/daily-skill-optimizer.loc../../../.prettierignore -c=4 -nolocalimports -importcfg /usr/bin/gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv --noprofile erena-mcp-server:latest (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows -importcfg /usr/bin/docker -buildmode=exe -buildid=3Wj_n9brev-parse ed } } docker ode_�� k/gh-aw/gh-aw/.github/workflows -extld=gcc ode_modules/.bin/prettier l (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows config k/node_modules/.bin/sh nore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git 1509-11476/test-git remote.origin.urrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --get remote.origin.ur-w /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� ithub-script/git/ref/tags/v9 git bject.type] | @tsv --show-toplevel git .cfg git (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion son (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/local/sbin/bash (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 9a2d00bd8b79e366-d (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state son ignore (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name h ../../../.prettierignore committer.email er: String!, $name: String!) { -f (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch k/gh-aw/gh-aw config 64/pkg/tool/linux_amd64/vet nore (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

[github-actions]

⚠️ Smoke Crush failed. Crush encountered unexpected challenges...

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🚀 Smoke OpenCode MISSION COMPLETE! OpenCode delivered. 🔥

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	4.52.5
curl	✅	8.5.0
gh	✅	2.89.0
node	✅	22.22.2
python3	✅	3.10.16 (PyPy 7.3.19)
go	✅	1.24.13
java	✅	openjdk 21.0.10
dotnet	✅	10.0.201

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test · ● 118.3K · ◷

[github-actions]

Smoke Test Codex 24945190968: FAIL
PRs: #28516 feat: cache-memory cache_memory_miss detection and conclusion handler; #28519 Fix integration test: check run_ids_or_urls (plural) in audit error envelope
✅ GitHub MCP ✅ Serena ✅ Playwright ✅ File/Bash ✅ Build
❌ Web Fetch unavailable; ❌ no comment-memory files

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• chatgpt.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "chatgpt.com"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex · ◷

[github-actions]

🤖 Smoke test complete for PR #28524

Test	Result
GitHub MCP	✅
MCP Scripts GH CLI	✅
Serena CLI	⚠️
Playwright	✅
Web Fetch	⚠️
File Writing	✅
Bash Tool	✅
Discussion Interaction	✅
Build gh-aw	✅
Upload artifact	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅
Comment Memory	✅

Overall: ✅ PASS

Author: @Copilot | Assignees: @pelikhan, @Copilot

📰 BREAKING: Report filed by Smoke Copilot · ● 1.1M · ◷

[github-actions]

Comment Memory

Smoke test visited
Copilot built and tested here
All green, carry on

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

📰 BREAKING: Report filed by Smoke Copilot · ● 1.1M · ◷

[github-actions]

Smoke test review: PR adds object form support for OTLP headers. Implementation looks solid with proper deprecation handling and comprehensive test coverage.

📰 BREAKING: Report filed by Smoke Copilot · ● 1.1M

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Commit pushed: bf33af6

Generated by Changeset Generator

[github-actions]

Smoke Test Run §24945190957 — Overall: PARTIAL

Core (#1–12): ✅✅✅✅✅✅✅✅✅❌✅✅ | PR Review (#13–19): ✅✅✅⚠️✅✅⚠️

• Remove ai-inference, opencode, genaiscript agentic engines for now #10 Agentic Workflows MCP: ❌ failed to get workflow statuses
• Update default model in Codex engine to o4-mini and adjust test expectations #16 Resolve thread: ⚠️ thread node IDs unavailable
• Add HTTP transport capability validation and time MCP server for agentic engines #19 Close PR: ⚠️ no safe test PR

💥 [THE END] — Illustrated by Smoke Claude · ● 190.1K · ◷

[github-actions]

💥 Automated smoke test review — all systems nominal! Run 24945190957.

💥 [THE END] — Illustrated by Smoke Claude · ● 190.1K

[github-actions]

🤖 Smoke test review comment #1 — Good refactor! Using a dedicated shell script mask_otlp_headers.sh instead of an inline echo command improves maintainability and allows the masking logic to evolve independently of the lock file generation. Run 24945190957.

[github-actions]

🤖 Smoke test review comment #2 — Consistent pattern across all 202 lock files. Centralizing the OTLP header masking in mask_otlp_headers.sh means future improvements only need a single edit. Run 24945190957.