fix: handle grep no-match exit in claude-token-optimizer step by Copilot · Pull Request #3261 · github/gh-aw-firewall

Copilot · 2026-05-16T16:31:22Z

The "Identify top workflow and stage its file" pre-agent step was failing when the top-ranked Claude workflow (e.g. security-guard.md) has no name: frontmatter field — only a markdown heading. grep -Flx exits 1 on no match, and set -euo pipefail propagated that into a step failure, skipping the entire agent execution.

Changes

claude-token-optimizer.md — append || true to the grep pipeline so a no-match result yields an empty $FILE rather than a non-zero exit; the existing kebab-case fallback then correctly resolves the filename
claude-token-optimizer.lock.yml — recompiled from the updated source

# Before
FILE=$(grep -Flx -- "name: ${TOP_WORKFLOW}" .github/workflows/*.md 2>/dev/null | head -1)

# After
FILE=$(grep -Flx -- "name: ${TOP_WORKFLOW}" .github/workflows/*.md 2>/dev/null | head -1 || true)

The fallback path ([ -z "$FILE" ] && FILE=".github/workflows/${KEBAB}.md") was already correct — it just never ran.

Copilot

Pull request overview

Fixes a step failure in the claude-token-optimizer workflow caused by grep -Flx returning exit code 1 (no match) under set -euo pipefail. Appending || true ensures the no-match case falls through to the kebab-case filename fallback instead of aborting the step.

Changes:

Append || true to the grep command so unmatched names produce an empty $FILE and trigger the existing fallback.
Recompile the lock file (also picks up unrelated compiler-driven updates: sparse-checkout list, awf install script, session-state copy script, prompt hash regeneration).

Show a summary per file

File	Description
`.github/workflows/claude-token-optimizer.md`	Adds `
`.github/workflows/claude-token-optimizer.lock.yml`	Regenerated lock file reflecting the source change plus compiler-driven updates.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 2/2 changed files
Comments generated: 0

lpcox · 2026-05-16T16:52:55Z

@copilot fix the failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25967201693/job/76333044699?pr=3261

Copilot · 2026-05-16T16:54:43Z

@copilot fix the failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25967201693/job/76333044699?pr=3261

The CI failure was Error: Cannot find module './oidc-token-provider-base' — oidc-token-provider-base.js was missing from the explicit COPY list in containers/api-proxy/Dockerfile. Fixed in commit fix: add oidc-token-provider-base.js to api-proxy Dockerfile COPY list.

github-actions · 2026-05-16T17:46:22Z

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Result: ❌ Not all runtimes match — Python and Node.js versions differ between host and chroot environments. Go matched successfully.

Tested by Smoke Chroot

lpcox · 2026-05-16T18:26:10Z

@copilot merge main

…claude-token-optimization

Copilot · 2026-05-16T18:28:36Z

@copilot merge main

Done. Merged origin/main — resolved a Dockerfile conflict where both branches independently added oidc-token-provider-base.js (kept main's ordering).

github-actions · 2026-05-16T18:32:28Z

🔥 Smoke Test: Copilot BYOK (Offline Mode)

Test	Result
GitHub MCP connectivity	❌ 401 (unauthenticated MCP tools in sandbox)
GitHub.com HTTP connectivity	⚠️ pre-step data not expanded
File write/read	✅ `/tmp/gh-aw/agent/smoke-test-copilot-byok-25969550294.txt` exists
BYOK inference (api-proxy → api.githubcopilot.com)	✅ responding normally

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: PARTIAL PASS — BYOK inference path confirmed working; GitHub MCP unauthenticated in sandbox (expected limitation).

🔑 BYOK report filed by Smoke Copilot BYOK

github-actions · 2026-05-16T18:33:33Z

Smoke Test Results

GitHub MCP Testing: ❌ (mcpscripts command not found)
GitHub.com Connectivity: ❌ (SSL/Proxy error)
File Writing Testing: ✅
Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

github-actions · 2026-05-16T18:33:36Z

🔬 Smoke Test: Copilot Engine — PASS

Test	Result
GitHub MCP connectivity	⚠️ 401 (gh CLI not authenticated in sandbox — expected)
GitHub.com HTTP	✅ 200
File write/read	✅ `/tmp/gh-aw/agent/smoke-test-copilot-25969550288.txt` verified

Overall: PASS — Core connectivity and file I/O working. MCP 401 is a sandbox limitation, not a failure.

PR: #3261 | Actor: @Copilot

📰 BREAKING: Report filed by Smoke Copilot

github-actions · 2026-05-16T18:33:50Z

Codex smoke test
PRs: Optimize export-audit workflow token usage by precomputing audits and bounding verification | [awf] Support Azure Copilot BYOK env routing in api-proxy and resolve gpt-5.4 via gpt-5 family aliases
❌ GitHub MCP unavailable; ❌ safeinputs-gh missing; ✅ Playwright title; ❌ Tavily no tools
✅ file write/read; ❌ discussion safe-input missing (REST found #191); ✅ npm ci && npm run build
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

github-actions · 2026-05-16T18:34:33Z

Smoke Test Results

❌ GitHub API: gh CLI authentication unavailable
✅ Playwright: Navigated to GitHub, title contains "GitHub"
✅ File verify: Smoke test marker file exists

Result: 2/3 PASSED — Playwright and file verification passed; GitHub API test blocked by missing authentication.

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-05-16T18:35:54Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	0 tests (ok)	✅ PASS
Rust	zoxide	✅	0 tests (ok)	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3261 · ● 5.1M · ◷

github-actions · 2026-05-16T18:36:03Z

Smoke Test Results

Redis PING: ❌ timeout/no response
PostgreSQL pg_isready: ❌ no response (host.docker.internal:5432 - no response)
PostgreSQL SELECT 1: ❌ skipped (pg_isready failed)

Overall: FAIL — Service containers unreachable via host.docker.internal.

🔌 Service connectivity validated by Smoke Services

Initial plan

4b9d494

Copilot AI assigned Copilot and lpcox May 16, 2026

Copilot started work on behalf of lpcox May 16, 2026 16:31 View session

Copilot AI linked an issue May 16, 2026 that may be closed by this pull request

[aw] Daily Claude Token Optimization Advisor failed #3252

Closed

fix: prevent grep no-match exit in claude-token-optimizer step

027a94f

Copilot AI changed the title ~~[WIP] Fix daily Claude Token Optimization Advisor workflow failure~~ fix: handle grep no-match exit in claude-token-optimizer step May 16, 2026

Copilot finished work on behalf of lpcox May 16, 2026 16:36

Copilot AI requested a review from lpcox May 16, 2026 16:36

lpcox marked this pull request as ready for review May 16, 2026 16:42

lpcox requested a review from Mossaka as a code owner May 16, 2026 16:42

Copilot AI review requested due to automatic review settings May 16, 2026 16:42

Copilot started reviewing on behalf of lpcox May 16, 2026 16:42 View session

Copilot AI reviewed May 16, 2026

View reviewed changes