Enforce max-size guard for repo-loaded experiment state (SEC-003)

[Copilot]

load_experiment_state_from_repo.cjs fetched state via octokit.rest.repos.getContent and parsed it without bounding payload size, which violated Safe Outputs SEC-003. This change adds explicit response-size enforcement before parse/write and covers the boundary behavior in tests.

• Size-limit enforcement in state loader

  • Added MAX_STATE_FILE_BYTES (102400) to cap decoded state content.
  • Added a dedicated limit predicate and early-return path in main() to skip oversized payloads with warning.
  • Enforced the conformance-recognized check pattern: content.length > MAX_STATE_FILE_BYTES (via helper).

• Focused behavior coverage

  • Extended load_experiment_state_from_repo.test.cjs to validate:
    • oversized payloads are rejected and not written to disk,
    • exact-boundary payloads are accepted and written,
    • temp directories are cleaned up in test flows.

const MAX_STATE_FILE_BYTES = 102400;

if (checkLimit(content, MAX_STATE_FILE_BYTES)) {
  core.warning(`Experiment state file exceeds max limit (${MAX_STATE_FILE_BYTES} bytes) – starting fresh`);
  return;
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name k -n1 util --end-of-options--git-dir ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc sRem�� EOVcOVWYx 391604/b188/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet **/*.json --ignore-path ../../../.pretti--git-dir rtcfg (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw pkg/workflow/clainit pkg/workflow/claude_engine_netwo--get ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url sRem�� BG0D/kQmTBaOtWfJNZU1vBG0D --write cfg --ignore-path .prettierignore --log-level=erro--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw er_test (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name h ../../../.prettierignore sues.lock.yml ache/go/1.25.8/x64/bin/grep (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name h ../../../.prettierignore git /usr/bin/gh --show-toplevel git /usr/bin/git gh api w/js/**/*.json' --ignore-path --jq ode_modules/.bin/vitest --show-toplevel gh /usr/bin/git gh (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 /opt/hostedtoolc--jq sv 415215625/001 -buildtags (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 sh sv '/tmp/TestParseDgit '/tmp/TestParseDrev-parse /home/REDACTED/wor--show-toplevel git rev-�� --show-toplevel node /usr/bin/git licyMinIntegritygh ../../../**/*.jsapi /usr/bin/infocmp/repos/actions/github-script/git/ref/tags/v9 git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 e/git sv "prettier" --wrigit tname) /home/REDACTED/wor--show-toplevel git rev-�� --show-toplevel node /usr/bin/git /ref/tags/v9 ../../../**/*.jsapi sv git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv remove remote1 er: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabl--show-toplevel rite '**/*.cjs' gh cfg 64/pkg/tool/linu/repos/actions/github-script/git/ref/tags/v9 git conf�� user.name Test User /usr/bin/git te 'scripts/**/*git committer.name 64/pkg/tool/linu--show-toplevel /usr/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9.0.0 origin bject.type] | @tsv ../pkg/workflow/gh s/archie.lock.ymapi 1/x64/bin/npm git rev-�� /ref/tags/v9 grep sv 05/001/test-inligit s/example-permisrev-parse bin/sh git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --git-dir git /usr/bin/git ../pkg/workflow/gh git 64/bin/gofmt git rev-�� --show-toplevel 64/bin/gofmt /usr/bin/git --show-toplevel der_test.go de_modules/.bin/--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 4526-15097/test-4153185178 /tmp/go-build589391604/b002/vet.cfg e/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel infocmp /usr/bin/git k/gh-aw/gh-aw/.ggit IpoAERX5QIp- (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel gh /usr/bin/git f/tags/v6 --jq sv git rev-�� /ref/tags/v9 gh sv /repos/actions/ggit --jq /usr/bin/gh node (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv bility_SameInputSameOutput482500568/001/stability-test.md -test.v=true o.git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/pkg/testutil/spec_test.go k/gh-aw/gh-aw/pkg/testutil/tempdir_test.go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu--limit yphen3137812336/git yphen3137812336/rev-parse x_amd64/compile /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -o s/test.md -trimpath /usr/bin/git -p github.com/githurev-parse -lang=go1.25 git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git '**/*.ts' '**/*.git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv /repos/actions/setup-node/git/ref/tags/v4 --jq /usr/bin/git /ref/tags/v9 remote.origin.urrev-parse sv git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git status (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv /repos/actions/setup-node/git/ref/tags/v4 --jq /usr/bin/git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv json' --ignore-p-errorsas (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv th .prettierigno-errorsas (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build589391604/b411/importcfg -pack /tmp/go-build589391604/b411/_testmain.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv 01 (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolc--jq /usr/bin/git 8778776 -trimpath e/git-upload-pac/repos/actions/github-script/git/ref/tags/v9 git rev-�� --show-toplevel /opt/hostedtoolc--jq /usr/bin/git -unreachable=falgit /tmp/go-build589rev-parse 1/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel awk /usr/bin/git Onlymin-integritinfocmp on 1/x64/bin/node git rev-�� --show-toplevel 1/x64/bin/node /usr/bin/git runs/20260505-20git grep e/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv xterm-color git /usr/bin/gh Onlymin-integritgh on rkflow/js/**/*.j/repos/actions/github-script/git/ref/tags/v9 gh api /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git /ref/tags/v9 format:cjs sv git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 remote.origin.url sv --get-regexp --global x_amd64/vet git -C /tmp/gh-aw-test-runs/20260505-204526-15097/test-8778776 status (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 /opt/hostedtoolcconfig sv SameOutput482500gh /tmp/go-build589api 391604/b349/vet./repos/actions/github-script/git/ref/tags/v9 infocmp -1 xterm-color rtcfg /usr/bin/git g/stats/statvar.git g/stats/spec_tesrev-parse ache/node/24.14.--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 git bject.type] | @tsv ithub-script/gitgit (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv t0 -trimpath ache/node/24.14.1/x64/bin/node m0s main (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/architecture-guardian.md -test.v=true e/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel e/git -o /tmp/go-build589391604/b459/_pkg_.a -trimpath /usr/bin/git -p github.com/githurev-parse -lang=go1.25 git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ansitiveImports2359074827/001 x_amd64/vet /usr/bin/git '**/*.ts' '**/*.git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv xterm-color x_amd64/vet /usr/bin/unpigz */*.ts' '**/*.jsgit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel grep /usr/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 73964133/001 gh /usr/bin/git y-frontmatter.mdgit --jq /usr/bin/git git remo�� sv git /usr/lib/git-core/git on' --ignore-patgit git sv /usr/lib/git-core/git (http block)
• https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git /tmp/TestGuardPogit rev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x--jq /usr/bin/gh -bool -buildtags om/myorg/repo.gistatus gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel (http block)
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /usr/bin/git /usr/bin/git --get-regexp (http block)
• https://api.github.com/repos/azure/login/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ithub-script/gitgit config bject.type] | @t--show-toplevel git rev-�� --show-toplevel gh /usr/bin/infocmp /repos/actions/ginfocmp --jq /usr/bin/git infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git remote /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp user.email test@example.com-1 /usr/bin/git infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git config /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp sv git /usr/bin/git infocmp (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/TestGuardPogit rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-infocmp remote pts.test git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/TestGuardPoinfocmp remote /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel infocmp "warnings":[]}] git rev-�� --show-toplevel git /usr/bin/git /tmp/TestGuardPoinfocmp config /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x-tests /usr/bin/git st-265355989/.giinfocmp -buildtags e/git git rev-�� --show-toplevel e/git /usr/bin/git ithub/workflows -buildtags (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv xterm-color grep /usr/bin/git 4922-38487/test-gh grep /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git 4922-38487/test-infocmp log /home/REDACTED/.loxterm-color git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/gh te '../../../**/infocmp git /usr/bin/git gh api /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git 5133-50749/test-infocmp git /home/node_modulxterm-color git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv list --json /usr/bin/git --workflow nonexistent-workrev-parse --limit git init�� nfig/composer/ve/tmp/gh-aw-test-runs/20260505-204922-38487/test-3267771188/.github/workflows grep logs/runs.json"} -optimizer.lock.git s/issue-triage-arev-parse ep git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv list resolved$ /usr/bin/gh --workflow nonexistent-workrev-parse --limit gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 grep sv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 git bject.type] | @tsv --show-toplevel git ed } } git rev-�� --show-toplevel git 0"}} /ref/tags/v9 git sv git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-28 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-05 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-02-04 (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettiergh erignore (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 391604/b011/vet.cfg ache/go/1.25.8/x64/pkg/tool/linu-importcfg ./../.prettieriggit (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name .github/workflows/sub-issue-closer.lock.yml 64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettiergit erignore (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettier/usr/bin/git erignore --quiet 06/m1mI9m8ZybBw5^remote\..*\.gh-resolved$ (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name .github/workflows/daily-fact.loc-test.run=^Test sv (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, (http block)
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, 75134072/001' 75134072/001' ache/go/1.25.8/x64/bin/grep (http block)
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, h ../../../.prettierignore --jq /usr/bin/git /repos/actions/g/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --jq /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /ref/tags/v9 git sv git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name on x_amd64/compile /../../.prettiergit erignore (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 on ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /../../.prettier/usr/bin/git erignore (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name .github/workflows/daily-fact.lock.yml h (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 391604/b009/vet.cfg ache/go/1.25.8/x64/pkg/tool/linu-nilfunc ./../.prettieriggit (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name .github/workflows/sub-issue-closer.lock.yml 1/x64/bin/node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 cfg 64/pkg/tool/linux_amd64/compile ./../.prettierig/opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name .github/workflows/sub-issue-closer.lock.yml 1/x64/bin/node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 cfg ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 ./../.prettieriggit (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name .github/workflows/sub-issue-closer.lock.yml k/_temp/uv-python-dir/node (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 cfg ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 ./../.prettieriggit b/gh-aw/actions/rev-parse (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name .github/workflows/sub-issue-closer.lock.yml .cfg (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build589391604/b404/cli.test /tmp/go-build589391604/b404/cli.test -test.testlogfile=/tmp/go-build589391604/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
  • Triggering command: /tmp/go-build2902912068/b404/cli.test /tmp/go-build2902912068/b404/cli.test -test.testlogfile=/tmp/go-build2902912068/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
  • Triggering command: /tmp/go-build1918441780/b404/cli.test /tmp/go-build1918441780/b404/cli.test -test.testlogfile=/tmp/go-build1918441780/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --show-toplevel /opt/hostedtoolc-c /usr/bin/infocmp"prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore git rev-�� --show-toplevel infocmp /usr/bin/infocmp xterm-color git /usr/bin/git infocmp (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 757773935/001 sRemoteWithRealGitmaster_branch2839753410/002/work cfg --ignore-path .prettierignore --log-level=erroxterm-color ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -c pkg/mod/github.com/aymanbagabas/go-udiff@v0.4.1/-s pkg/mod/github.com/aymanbagabas/go-udiff@v0.4.1/-w ache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv on' --ignore-path ../../../.pret.prettierignore ock.yml tnet/tools/grep (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 503341647/001 503341647/002/work odules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh --show-toplevel git /usr/bin/git git rev-�� ub/workflows git /usr/bin/git ithub-script/gitinfocmp git bject.type] | @txterm-color git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv */*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ty-test.md k.yml ache/node/24.14.1/x64/bin/grep (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 git sv ithub-script/gitgit infocmp bject.type] | @t/tmp/gh-aw-test-runs/20260505-205133-50749/test-4242948589/.github/workflows gh api th .prettierignoremote.origin.url --jq node /repos/actions/ggit --jq (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv */*.ts' '**/*.js--thin (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv iant-2468464512/.github/workflows k.yml cal/bin/grep (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv iant-2468464512/--detach k.yml rgo/bin/grep (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv json' --ignore-path ../../../.pr**/*.json git (http block)
• https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ons-test45869345git rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git res_import_test.git t_schema_test.gorev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel l /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/TestGuardPogit config /usr/bin/infocmp--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/TestGuardPogit rev-parse /usr/bin/infocmp--show-toplevel git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 757773935/001 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 git sv --show-toplevel git /usr/bin/git git rev-�� ../pkg/workflow/js/**/*.json' ---errorsas git /usr/bin/git ithub-script/gitgit git ache/node/24.14.--show-toplevel git (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion n_test.go ctions-build/mairev-parse r ctionpins.go ctio�� 4922-38487/test-1437683529/.github/workflows nomaly.go ache/node/24.14.1/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel git erignore git show�� 5133-50749/test-3544543069/.github/workflows git /usr/bin/git /ref/tags/v9 git sv git (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo p/bin/git (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo odules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state cfg **/*.ts **/*.json --ignore-path ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name h ../../../.prettierignore sues.lock.yml cal/bin/grep (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name h ../../../.prettierignore gh /usr/bin/infocmp /repos/actions/gnode --jq /usr/bin/git infocmp -1 w/js/**/*.json' --ignore-path git es --show-toplevel git /usr/bin/git infocmp (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch t1366286922/.github/workflows 391604/b102/vet.cfg _.a **/*.json --ignore-path ../../../.prettierignore ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -c pkg/mod/github.com/stretchr/testify@v1.11.1/assert/yaml/yaml_default.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch runs/20260505-204922-38487/test-1352347845/.github/workflows --write /tmp/go-build2902912068/b404/cli.test !../../../pkg/wogit --ignore-path ../../../.pretti--cached /tmp/go-build290--name-only -tes�� -test.paniconexit0 -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch run format:pkg-json /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet tierignore --jq bject.type] | @t--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuremote.origin.url -ato�� licyTrustedUsersExpressionCompiledOutput1626412894/001 -buildtags ache/node/24.14.1/x64/bin/node l -ifaceassert -nilfunc ache/node/24.14.--jq (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Adds a size guard to load_experiment_state_from_repo.cjs so repo-loaded experiment state is skipped when it exceeds the configured maximum, and extends tests around the new boundary behavior.

Changes:

• Introduces MAX_STATE_FILE_BYTES and a pre-parse size check in the experiment state loader.
• Adds main()-level tests for oversized and exact-boundary state files.
• Adds test setup/teardown for env var restoration and temp directory cleanup.

Show a summary per file

File	Description
actions/setup/js/load_experiment_state_from_repo.cjs	Adds the new max-size constant and guard before JSON parse/write.
actions/setup/js/load_experiment_state_from_repo.test.cjs	Adds behavioral tests for oversized and boundary-sized state payloads plus test cleanup helpers.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 2