Skip to content

Allow Chaos PR Bundle Fuzzer to modify tests/chaos/** in safe-output PR creation#33553

Merged
pelikhan merged 3 commits into
mainfrom
copilot/aw-fix-chaos-pr-bundle-fuzzer
May 20, 2026
Merged

Allow Chaos PR Bundle Fuzzer to modify tests/chaos/** in safe-output PR creation#33553
pelikhan merged 3 commits into
mainfrom
copilot/aw-fix-chaos-pr-bundle-fuzzer

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 20, 2026
edited
Loading

The Chaos PR Bundle Fuzzer run failed because all create_pull_request safe outputs were rejected by allowed-files enforcement. The generated patches modified tests/chaos/**, but that path was not in the workflow allowlist.

  • Problem alignment

    • Updated the workflow safe-output allowlist to include the path family actually used by chaos scenarios (tests/chaos/**), removing the mismatch that caused all 5 PR creations to fail.

  • Workflow source update

    • In chaos-pr-bundle-fuzzer.md, added tests/chaos/** under safe-outputs.create-pull-request.allowed-files.
    • Updated the scenario instructions so the edit scope explicitly matches the configured allowlist.

  • Compiled workflow sync

    • Regenerated chaos-pr-bundle-fuzzer.lock.yml so runtime safe-output config reflects the new allowlist entry.
safe-outputs:
  create-pull-request:
    allowed-files:
      - "tmp/chaos/**"
      - "scratchpad/chaos/**"
      - "tests/chaos/**"

Copilot AI linked an issue May 20, 2026 that may be closed by this pull request
[aw] Chaos PR Bundle Fuzzer failed #33549
Closed
@github-actions github-actions Bot mentioned this pull request May 20, 2026
Closed
Copilot AI and others added 2 commits May 20, 2026 13:59
@pelikhan
chore: start chaos PR bundle fuzzer investigation
9c38961 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: allow chaos PR fuzzer writes under tests/chaos
3c15e38 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix Chaos PR Bundle Fuzzer workflow failure Allow Chaos PR Bundle Fuzzer to modify tests/chaos/** in safe-output PR creation May 20, 2026
Copilot AI requested a review from pelikhan May 20, 2026 14:11
@pelikhan pelikhan marked this pull request as ready for review May 20, 2026 14:29
Copilot AI review requested due to automatic review settings May 20, 2026 14:29
@pelikhan pelikhan merged commit d9293e9 into main May 20, 2026
@pelikhan pelikhan deleted the copilot/aw-fix-chaos-pr-bundle-fuzzer branch May 20, 2026 14:29
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Chaos PR Bundle Fuzzer safe-output configuration so its generated patches can legally modify tests/chaos/**, resolving failures caused by allowed-files enforcement rejecting all create_pull_request outputs.

Changes:

  • Expand safe-outputs.create-pull-request.allowed-files in chaos-pr-bundle-fuzzer.md to include tests/chaos/**, and align the scenario instructions accordingly.
  • Regenerate chaos-pr-bundle-fuzzer.lock.yml so the runtime safe-outputs config includes the updated allowlist.
  • Multiple workflow lockfiles also update their network allowlists to include patch-diff.githubusercontent.com (broadening outbound access).
Show a summary per file
File Description
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/ubuntu-image-analyzer.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/technical-doc-writer.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/step-name-alignment.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/spec-librarian.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/spec-extractor.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/smoke-workflow-call.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/smoke-workflow-call-with-inputs.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/smoke-temporary-id.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/smoke-multi-pr.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/smoke-call-workflow.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env (plus regenerated heredoc labels).
.github/workflows/outcome-collector.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/layout-spec-maintainer.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/dependabot-campaign.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/delight.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/daily-subagent-optimizer.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/daily-sentrux-report.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/copilot-pr-merged-report.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/copilot-opt.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/copilot-cli-deep-research.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/copilot-agent-analysis.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/claude-code-user-docs-review.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.
.github/workflows/chaos-pr-bundle-fuzzer.md Adds tests/chaos/** to allowed-files and updates scenario instructions to match.
.github/workflows/chaos-pr-bundle-fuzzer.lock.yml Regenerates safe-outputs runtime config to include tests/chaos/** in allowed_files.
.github/workflows/aw-portfolio-yield.lock.yml Adds patch-diff.githubusercontent.com to allowed domains in the embedded AWF config/env.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 67/67 changed files
  • Comments generated: 1

Comment thread .github/workflows/weekly-safe-outputs-spec-review.lock.yml
export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK"
(umask 177 && touch /tmp/gh-aw/agent-stdio.log)
printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.49/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","*.grafana.net","*.sentry.io","api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","api.snapcraft.io","archive.ubuntu.com","azure.archive.ubuntu.com","codeload.github.com","crl.geotrust.com","crl.globalsign.com","crl.identrust.com","crl.sectigo.com","crl.thawte.com","crl.usertrust.com","crl.verisign.com","crl3.digicert.com","crl4.digicert.com","crls.ssl.com","docs.github.com","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.blog","github.com","github.githubassets.com","host.docker.internal","json-schema.org","json.schemastore.org","keyserver.ubuntu.com","lfs.github.com","objects.githubusercontent.com","ocsp.digicert.com","ocsp.geotrust.com","ocsp.globalsign.com","ocsp.identrust.com","ocsp.sectigo.com","ocsp.ssl.com","ocsp.thawte.com","ocsp.usertrust.com","ocsp.verisign.com","packagecloud.io","packages.cloud.google.com","packages.microsoft.com","ppa.launchpad.net","raw.githubusercontent.com","registry.npmjs.org","s.symcb.com","s.symcd.com","security.ubuntu.com","telemetry.enterprise.githubcopilot.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com","www.googleapis.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxEffectiveTokens":25000000,"models":{"agent":["sonnet-6x","gpt-5.4","gpt-5","gemini-pro","haiku","any"],"any":["copilot/*","anthropic/*","openai/*","google/*","gemini/*"],"auto":["large"],"claude":["agent","sonnet-6x","haiku","any"],"codex":["agent","gpt-5-codex","gpt-5","any"],"coding":["copilot/gpt-5*codex*","openai/gpt-5*codex*","gpt-5-codex"],"copilot":["agent","gpt-5.4","sonnet","gpt-5","any"],"deep-research":["copilot/deep-research*","copilot/o3-deep-research*","copilot/o4-mini-deep-research*","google/deep-research*","gemini/deep-research*","openai/o3-deep-research*","openai/o4-mini-deep-research*"],"gemini":["agent","gemini-pro","gemini-flash","any"],"gemini-flash":["copilot/gemini-*flash*","google/gemini-*flash*","gemini/gemini-*flash*"],"gemini-flash-lite":["copilot/gemini-*flash*lite*","google/gemini-*flash*lite*","gemini/gemini-*flash*lite*"],"gemini-pro":["copilot/gemini-*pro*","google/gemini-*pro*","gemini/gemini-*pro*"],"gemma":["copilot/gemma*","google/gemma*","gemini/gemma*"],"gpt-4.1":["copilot/gpt-4.1*","openai/gpt-4.1*"],"gpt-5":["copilot/gpt-5*","openai/gpt-5*"],"gpt-5-codex":["copilot/gpt-5*codex*","openai/gpt-5*codex*"],"gpt-5-mini":["copilot/gpt-5*mini*","openai/gpt-5*mini*"],"gpt-5-nano":["copilot/gpt-5*nano*","openai/gpt-5*nano*"],"gpt-5-pro":["copilot/gpt-5*pro*","openai/gpt-5*pro*"],"haiku":["copilot/*haiku*","anthropic/*haiku*"],"large":["sonnet","gpt-5-pro","gpt-5","gemini-pro"],"mini":["haiku","gpt-5-mini","gpt-5-nano","gemini-flash-lite","copilot/raptor*mini*"],"opus":["copilot/*opus*","anthropic/*opus*"],"reasoning":["copilot/o1*","copilot/o3*","copilot/o4*","openai/o1*","openai/o3*","openai/o4*"],"small":["mini"],"sonnet":["copilot/*sonnet*","anthropic/*sonnet*"],"sonnet-6x":["copilot/*sonnet-4.5*","copilot/*sonnet-4-5*","anthropic/*sonnet-4.5*","anthropic/*sonnet-4-5*","copilot/*sonnet-3.7*","copilot/*sonnet-3-7*","anthropic/*sonnet-3.7*","anthropic/*sonnet-3-7*","copilot/*sonnet-3.5*","copilot/*sonnet-3-5*","anthropic/*sonnet-3.5*","anthropic/*sonnet-3-5*"],"vision":["copilot/gemini-*image*","gemini/gemini-*image*","copilot/gemini-*flash*","gemini/gemini-*flash*"]}},"container":{"imageTag":"0.25.49"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json"
printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.49/awf-config.schema.json","network":{"allowDomains":["*.githubusercontent.com","*.grafana.net","*.sentry.io","api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","api.snapcraft.io","archive.ubuntu.com","azure.archive.ubuntu.com","codeload.github.com","crl.geotrust.com","crl.globalsign.com","crl.identrust.com","crl.sectigo.com","crl.thawte.com","crl.usertrust.com","crl.verisign.com","crl3.digicert.com","crl4.digicert.com","crls.ssl.com","docs.github.com","github-cloud.githubusercontent.com","github-cloud.s3.amazonaws.com","github.blog","github.com","github.githubassets.com","host.docker.internal","json-schema.org","json.schemastore.org","keyserver.ubuntu.com","lfs.github.com","objects.githubusercontent.com","ocsp.digicert.com","ocsp.geotrust.com","ocsp.globalsign.com","ocsp.identrust.com","ocsp.sectigo.com","ocsp.ssl.com","ocsp.thawte.com","ocsp.usertrust.com","ocsp.verisign.com","packagecloud.io","packages.cloud.google.com","packages.microsoft.com","patch-diff.githubusercontent.com","ppa.launchpad.net","raw.githubusercontent.com","registry.npmjs.org","s.symcb.com","s.symcd.com","security.ubuntu.com","telemetry.enterprise.githubcopilot.com","ts-crl.ws.symantec.com","ts-ocsp.ws.symantec.com","www.googleapis.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxEffectiveTokens":25000000,"models":{"agent":["sonnet-6x","gpt-5.4","gpt-5","gemini-pro","haiku","any"],"any":["copilot/*","anthropic/*","openai/*","google/*","gemini/*"],"auto":["large"],"claude":["agent","sonnet-6x","haiku","any"],"codex":["agent","gpt-5-codex","gpt-5","any"],"coding":["copilot/gpt-5*codex*","openai/gpt-5*codex*","gpt-5-codex"],"copilot":["agent","gpt-5.4","sonnet","gpt-5","any"],"deep-research":["copilot/deep-research*","copilot/o3-deep-research*","copilot/o4-mini-deep-research*","google/deep-research*","gemini/deep-research*","openai/o3-deep-research*","openai/o4-mini-deep-research*"],"gemini":["agent","gemini-pro","gemini-flash","any"],"gemini-flash":["copilot/gemini-*flash*","google/gemini-*flash*","gemini/gemini-*flash*"],"gemini-flash-lite":["copilot/gemini-*flash*lite*","google/gemini-*flash*lite*","gemini/gemini-*flash*lite*"],"gemini-pro":["copilot/gemini-*pro*","google/gemini-*pro*","gemini/gemini-*pro*"],"gemma":["copilot/gemma*","google/gemma*","gemini/gemma*"],"gpt-4.1":["copilot/gpt-4.1*","openai/gpt-4.1*"],"gpt-5":["copilot/gpt-5*","openai/gpt-5*"],"gpt-5-codex":["copilot/gpt-5*codex*","openai/gpt-5*codex*"],"gpt-5-mini":["copilot/gpt-5*mini*","openai/gpt-5*mini*"],"gpt-5-nano":["copilot/gpt-5*nano*","openai/gpt-5*nano*"],"gpt-5-pro":["copilot/gpt-5*pro*","openai/gpt-5*pro*"],"haiku":["copilot/*haiku*","anthropic/*haiku*"],"large":["sonnet","gpt-5-pro","gpt-5","gemini-pro"],"mini":["haiku","gpt-5-mini","gpt-5-nano","gemini-flash-lite","copilot/raptor*mini*"],"opus":["copilot/*opus*","anthropic/*opus*"],"reasoning":["copilot/o1*","copilot/o3*","copilot/o4*","openai/o1*","openai/o3*","openai/o4*"],"small":["mini"],"sonnet":["copilot/*sonnet*","anthropic/*sonnet*"],"sonnet-6x":["copilot/*sonnet-4.5*","copilot/*sonnet-4-5*","anthropic/*sonnet-4.5*","anthropic/*sonnet-4-5*","copilot/*sonnet-3.7*","copilot/*sonnet-3-7*","anthropic/*sonnet-3.7*","anthropic/*sonnet-3-7*","copilot/*sonnet-3.5*","copilot/*sonnet-3-5*","anthropic/*sonnet-3.5*","anthropic/*sonnet-3-5*"],"vision":["copilot/gemini-*image*","gemini/gemini-*image*","copilot/gemini-*flash*","gemini/gemini-*flash*"]}},"container":{"imageTag":"0.25.49"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[aw] Chaos PR Bundle Fuzzer failed

3 participants

@pelikhan