Problem
The Smoke Gemini workflow fails on every PR with TypeError: fetch failed sending request from @google/gemini-cli. Firewall logs show 98 blocks to localhost:8080 (AWF's Gemini API proxy port 10003) and 15 blocks to 172.30.0.30:10003, while the actual Gemini API host (generativelanguage.googleapis.com or aiplatform.googleapis.com) is not in the domain allowlist.
Context
Original issue: github/gh-aw#31575
Failing since at least 2026-05-09 across 5+ consecutive PR runs. Zero tokens consumed, confirming requests never reach the API. The AWF Gemini sidecar (containers/api-proxy/, port 10003) forwards requests upstream, but the upstream Gemini API host is not whitelisted in GH_AW_ALLOWED_DOMAINS for the Smoke Gemini workflow.
Root Cause
generativelanguage.googleapis.com (Gemini CLI v1beta) and/or aiplatform.googleapis.com (Vertex) are absent from the allowed-domains list passed to awf in the Smoke Gemini workflow definition. Squid denies those CONNECT requests, surfacing as a transport-level fetch failed.
Proposed Solution
- Add
generativelanguage.googleapis.com and aiplatform.googleapis.com to GH_AW_ALLOWED_DOMAINS in the Smoke Gemini workflow config.
- Enable
DEBUG=gemini-cli:* or capture error.cause in the agent step to surface the exact denied host in future failures.
- Verify fix by confirming firewall log shows
TCP_TUNNEL (ALLOWED) for the Gemini host with non-zero request count on next PR run.
Generated by Firewall Issue Dispatcher · ● 938.8K · ◷
Problem
The
Smoke Geminiworkflow fails on every PR withTypeError: fetch failed sending requestfrom@google/gemini-cli. Firewall logs show 98 blocks tolocalhost:8080(AWF's Gemini API proxy port 10003) and 15 blocks to172.30.0.30:10003, while the actual Gemini API host (generativelanguage.googleapis.comoraiplatform.googleapis.com) is not in the domain allowlist.Context
Original issue: github/gh-aw#31575
Failing since at least 2026-05-09 across 5+ consecutive PR runs. Zero tokens consumed, confirming requests never reach the API. The AWF Gemini sidecar (
containers/api-proxy/, port 10003) forwards requests upstream, but the upstream Gemini API host is not whitelisted inGH_AW_ALLOWED_DOMAINSfor the Smoke Gemini workflow.Root Cause
generativelanguage.googleapis.com(Gemini CLI v1beta) and/oraiplatform.googleapis.com(Vertex) are absent from the allowed-domains list passed toawfin the Smoke Gemini workflow definition. Squid denies those CONNECT requests, surfacing as a transport-levelfetch failed.Proposed Solution
generativelanguage.googleapis.comandaiplatform.googleapis.comtoGH_AW_ALLOWED_DOMAINSin the Smoke Gemini workflow config.DEBUG=gemini-cli:*or captureerror.causein the agent step to surface the exact denied host in future failures.TCP_TUNNEL(ALLOWED) for the Gemini host with non-zero request count on next PR run.