Align ET budget failure diagnostics with firewall-compiled ET totals#31201
Merged
Conversation
Closed
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix workflow failure for Q due to token budget exhaustion
Align ET budget failure diagnostics with firewall-compiled ET totals
May 9, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes misleading “ET budget exhausted” diagnostics by aligning effective-token totals used in the failure path with the AWF firewall-compiled ET state (via awf-reflect.json) rather than potentially-drifting env-derived recomputation.
Changes:
- Add parsing of
effective_tokens.total_effective_tokensandeffective_tokens.max_effective_tokensfrom the firewall reflect file and use it as a fallback source between audit log values and env fallbacks. - Update ET failure-state resolution precedence to prefer audit log → reflect file → env.
- Add a regression test covering the “high env ET, lower firewall reflect ET” mismatch scenario.
Show a summary per file
| File | Description |
|---|---|
| actions/setup/js/effective_tokens_context.cjs | Adds reflect-file parsing and updates ET source precedence in resolveEffectiveTokensFailureState(). |
| actions/setup/js/handle_agent_failure.test.cjs | Adds regression coverage ensuring firewall reflect ET totals suppress false budget-exhaustion signals. |
| .github/workflows/daily-news.lock.yml | Regenerates the Daily News lock workflow with multiple version/step/env updates. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 2
Comment on lines
66
to
+118
| @@ -86,6 +86,7 @@ run-name: "Daily News" | |||
| env: | |||
| OTEL_EXPORTER_OTLP_ENDPOINT: ${{ secrets.GH_AW_OTEL_ENDPOINT }} | |||
| OTEL_SERVICE_NAME: gh-aw | |||
| COPILOT_OTEL_FILE_EXPORTER_PATH: /tmp/gh-aw/copilot-otel.jsonl | |||
| OTEL_EXPORTER_OTLP_HEADERS: ${{ secrets.GH_AW_OTEL_HEADERS }} | |||
| GH_AW_OTLP_ENDPOINTS: '[{"url":"${{ secrets.GH_AW_OTEL_ENDPOINT }}","headers":"${{ secrets.GH_AW_OTEL_HEADERS }}"}]' | |||
|
|
|||
| @@ -105,16 +106,23 @@ jobs: | |||
| setup-trace-id: ${{ steps.setup.outputs.trace-id }} | |||
| stale_lock_file_failed: ${{ steps.check-lock-file.outputs.stale_lock_file_failed == 'true' }} | |||
| steps: | |||
| - name: Checkout actions folder | |||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |||
| with: | |||
| repository: github/gh-aw | |||
| sparse-checkout: | | |||
| actions | |||
| persist-credentials: false | |||
| - name: Setup Scripts | |||
| id: setup | |||
| uses: github/gh-aw-actions/setup@v0.71.5 | |||
| uses: ./actions/setup | |||
Comment on lines
+646
to
+648
| run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh" | ||
| - name: Download container images | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.40@sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40@sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280 ghcr.io/github/gh-aw-firewall/squid:0.25.40@sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51 ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.42 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.42 ghcr.io/github/gh-aw-firewall/squid:0.25.42 ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug Fix
What was the bug?
Qwas reported as ET-budget exhausted (12.2M / 10M) even when firewall-compiled ET state showed usage below budget. The failure path used recomputed ET from token usage/env and could drift from firewall ET compilation, producing false budget-exhaustion diagnostics.How did you fix it?
resolveEffectiveTokensFailureState()to resolve ET values in this order:sandbox/firewall/awf-reflect.json)effective_tokens.total_effective_tokenseffective_tokens.max_effective_tokens