Default Pi workflows to CLI proxy mode and relax Smoke Pi tool/file restrictions and runtime settings#35836
Default Pi workflows to CLI proxy mode and relax Smoke Pi tool/file restrictions and runtime settings#35836Copilot wants to merge 11 commits into
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
Commit pushed:
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Pull request overview
This PR updates the workflow compiler so that selecting engine: pi implicitly injects Pi-required tool defaults (CLI proxy + GitHub gh-proxy mode) when the user hasn’t explicitly set them, ensuring Pi workflows compile with the expected safeoutputs execution model by default.
Changes:
- Inject
tools.cli-proxy: trueforengine: piwhen not explicitly provided. - Inject
tools.github.mode: gh-proxyforengine: piwhen not explicitly provided (while respecting explicittools.github.mode/tools.github: false). - Add an orchestrator-level unit test validating Pi default injection behavior.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/compiler_orchestrator_tools.go | Adds Pi-specific tool default injection during tool processing. |
| pkg/workflow/compiler_orchestrator_tools_test.go | Adds test coverage asserting Pi default tool injection. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 2
| orchestratorToolsLog.Printf("Tools merge failed: %v", err) | ||
| return nil, fmt.Errorf("failed to merge tools: %w", err) | ||
| } | ||
| applyPiRequiredToolDefaults(tools, agenticEngine) |
| assert.Equal(t, "gh-proxy", githubConfig["mode"], "Pi should default tools.github.mode to gh-proxy") | ||
| } | ||
|
|
||
| // TestProcessToolsAndMarkdown_ToolsMerging tests tools merging from imports and includes |
There was a problem hiding this comment.
Good catch. Smoke bot agree. This path needs explicit opt-out or explicit-mode coverage too.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · gpt54 14.3M
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Implemented in
|
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
💫 TO BE CONTINUED... Smoke Claude failed to deliver outputs! Our hero faces unexpected challenges... |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ Testing safeoutputs CLI accessibility |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🌑 The shadows whisper... Smoke Codex failed to deliver outputs. The oracle requires further meditation... |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke Test Results for 26676306397:
Overall Status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
|
Smoke test: FAIL ✅ #35855 [code-simplifier] Simplify claude_tools.go: use getOrCreateToolMap and clearer isClaudeToolName Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
💥 Smoke Test: Claude — Run 26676306406Core #1–13: ✅ (note: #2 Overall: PARTIAL ✅ Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · opus48 946.8K
|
Smoke bot done. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke review done. Me left 2 inline notes.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · gpt54 18.2M
| // Check if GitHub tool was explicitly configured in the original frontmatter. | ||
| // This must be computed before Pi defaults are applied so injected defaults do | ||
| // not affect explicit-intent checks used by permission validation. | ||
| _, hasExplicitGitHubTool := topTools["github"] |
There was a problem hiding this comment.
Nice guard. This keeps Pi default injection from looking like explicit tools.github intent during permission validation.
|
|
||
| require.NoError(t, err) | ||
| require.NotNil(t, result) | ||
| assert.False(t, result.hasExplicitGitHubTool, "Auto-injected Pi GitHub defaults must not count as explicit tools.github config") |
There was a problem hiding this comment.
Good regression coverage. This pins the exact explicitness bug the earlier review thread called out.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
Checks are green and the branch is current. Re-requesting human review.
|
1 similar comment
|
Checks are green and the branch is current. Re-requesting human review.
|
|
|
|
|
|
|
|
|
Pi workflows were failing when
safeoutputsCLI paths were expected butcli-proxymode was not explicitly configured. This change makes Pi’s required transport/tool defaults implicit so Pi workflows compile with the expected execution model out of the box, and updates the Smoke Pi workflow configuration to allow broader tool/file operations.Compiler defaults for Pi engine
tools.cli-proxy: truewhenengine: piis selected and the flag is not explicitly set.tools.github.mode: gh-proxywhenengine: piis selected and GitHub mode is not explicitly set.Explicit user intent remains authoritative
tools.github: false(no forced GitHub tool enablement).tools.github.modevalues (no override when already declared).Smoke Pi permissions/tooling adjustment
tools.github.toolsetsrestriction in.github/workflows/smoke-pi.mdso Pi is not limited to a narrow GitHub tool subset in this smoke workflow./tmp/gh-aw/agentto/tmpin the same workflow to support broader read/write operations.MCP CLI mount reliability fix for Pi/safeoutputs
RUNNER_TEMPfallback:export PATH="${RUNNER_TEMP:-/home/runner/work/_temp}/gh-aw/mcp-cli/bin:$PATH"safeoutputs) remain discoverable in AWF container execution even whenRUNNER_TEMPis not set in-container.Coverage for default injection behavior
gh-proxytools.github.modeis preserved and correctly rejected forengine: pi.Additional Smoke Pi runtime/firewall updates
.github/workflows/smoke-pi.md(network.allowed: go) so Go toolchain/module endpoints are available during smoke builds.RUNNER_TEMPexplicitly to Pi execution viaengine.envso agent/container steps consistently receive runner temp path context.engine.args: ["--yolo"].Example behavior after this change:
is effectively treated as:
Changeset
cli-proxyandgh-proxymode when unspecified, relax Smoke Pi workflow tool/file restrictions, ensure mountedsafeoutputsCLI is reliably available in Pi runs, and update Smoke Pi runtime/firewall settings (godomains,RUNNER_TEMPenv propagation, and Pi--yolomode).> Generated by 👨🍳 PR Sous Chef · gpt54 8.1M · ◷
✨ PR Review Safe Output Test - Run 26676306406
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.