fix(linter-miner): add go build/test to bash allowlist and harden error handling

[Copilot]

Bug Fix

What was the bug?

The Linter Miner consumed 63.5M tokens over 15 minutes and exited without calling any safe output. The root cause was that go build was absent from the bash allowlist, so the agent could never verify compilation after writing linter files. The original command also used cd $GITHUB_WORKSPACE && go build ./cmd/linters — a compound shell expression that wouldn't have matched a go build:* pattern even after adding one.

How did you fix it?

• linter-miner.md — bash allowlist: added go build:* and go test:*

  bash:
    - ...existing entries...
    - "go build:*"
    - "go test:*"

• Compilation verification command: simplified to go build ./cmd/linters (the cd … && prefix would have bypassed the new allowlist pattern)

• Error handling guidance: if compilation still fails after two separate fix attempts, the sub-agent now calls report_incomplete rather than silently exhausting its context

• Safety-net guideline: explicitly instructs the agent to always call create_pull_request or noop before finishing — never exit without a safe output

• linter-miner.lock.yml: recompiled; now includes --allow-tool 'shell(go build:*)' and --allow-tool 'shell(go test:*)'

[pelikhan]

@copilot allow go in firewall

[Copilot]

@copilot allow go in firewall

Done — added network: allowed: [defaults, go] to linter-miner.md and recompiled. The lock file now allows golang.org, proxy.golang.org, sum.golang.org, go.dev, pkg.go.dev, and goproxy.io through the firewall.

[Copilot]

Pull request overview

Fixes a Linter Miner agent failure mode where it could exhaust its context without producing a safe output. The root cause was that go build wasn't in the bash allowlist, so compilation verification always failed. Adds the missing allowlist entries, simplifies the verification command to match the new pattern, and adds explicit guidance for the agent to always finish with a safe output.

Changes:

• Adds go build:* and go test:* to the bash allowlist, plus the go network domain group
• Simplifies the compile-verification command (drops the cd $GITHUB_WORKSPACE && prefix that would have bypassed the new allowlist pattern)
• Adds prompt guidance to call report_incomplete/noop/create_pull_request rather than ending with no safe output

Show a summary per file

File	Description
.github/workflows/linter-miner.md	Adds go build/test to bash allowlist, opens go network egress, simplifies build command, and adds safe-output exit guidance.
.github/workflows/linter-miner.lock.yml	Recompiled lock file reflecting the source changes (also picks up unrelated compiler-version-driven updates).
.github/workflows/daily-geo-optimizer.lock.yml	Unrelated minor regeneration of a different workflow's lock file (uses env var for repository in geo audit).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 0