[WIP] Fix security guard workflow failure due to authentication issues#5306
Conversation
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
This PR updates the Security Guard locked workflow’s Copilot “dummy BYOK” environment value to a GitHub-token-shaped placeholder to avoid Copilot authentication failures, and tightens CI assertions to ensure the lock workflow contains the expected value.
Changes:
- Update
.github/workflows/security-guard.lock.ymlto setCOPILOT_DUMMY_BYOKtoghu_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa(token-shaped placeholder) instead ofdummy-byok-key-for-offline-mode. - Extend
scripts/ci/security-guard-workflow.test.tsto assert the new placeholder is present and the old dummy value is absent.
Show a summary per file
| File | Description |
|---|---|
| scripts/ci/security-guard-workflow.test.ts | Adds assertions that the compiled lock workflow includes the token-shaped Copilot placeholder and excludes the previous dummy string. |
| .github/workflows/security-guard.lock.yml | Switches the COPILOT_DUMMY_BYOK env value used by the workflow to a token-shaped placeholder to prevent auth-path failures. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 1
|
|
||
| expect(lock).toContain('"agent_model":"claude-haiku-4-5"'); | ||
| expect(lock).toContain('COPILOT_MODEL: claude-haiku-4-5'); | ||
| expect(lock).toContain('COPILOT_DUMMY_BYOK: ghu_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'); |
There was a problem hiding this comment.
Fixed — the test now imports COPILOT_PLACEHOLDER_TOKEN from src/constants/placeholders.ts and uses that shared constant in the lockfile assertion.
|
@copilot address the review feedback and fix the pr title and summary |
|
@copilot address the review feedback and fix the pr title and summary |
|
✅ Copilot review passed with no inline comments. @copilot Add the |
|
❌ Smoke Copilot BYOK AOAI (Entra) reports failed. AOAI BYOK (Entra) mode investigation needed... |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🔌 Smoke Services — All services reachable! ✅ |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✅ Build Test Suite completed successfully! |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
❌ Smoke Claude failed |
|
🚀 Security Guard has started processing this pull request |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
✅ Contribution Check completed successfully! |
|
❌ Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed... |
🔥 Smoke Test Results
PR: [WIP] Fix security guard workflow failure due to authentication issues Overall: PASS ✅
|
🔬 Smoke Test: Copilot PAT Auth — PARTIAL PASS
Overall: PARTIAL — MCP and network tests pass; pre-step template vars ( Auth mode: PAT (COPILOT_GITHUB_TOKEN) | PR by
|
Smoke Test Results: Copilot BYOK (Direct Mode)✅ GitHub MCP connectivity — Listed recent PRs successfully Status: PASS — All smoke tests successful
|
|
Merged PRs:
Tests:
Overall: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Smoke Test: Gemini Engine Validation
Overall status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
🔍 Chroot Runtime Version Comparison
Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.
|
Smoke Test: API Proxy OpenTelemetry Tracing
All scenarios pass. OTEL tracing integration is fully functional.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Smoke Test Results — Services Connectivity
Overall: FAIL
|
Done — I addressed the review feedback by using the shared |
…5329) * perf(security-guard): prioritize security-relevant files in PR diff The Security Guard agent's pre-fetched diff dumped full patches for every changed file, so large refactor PRs sent oversized prompts (cost, latency, and a larger first-request that can trip the upstream Copilot provider). Rework the pre-fetch so it includes full patches only for security-relevant files (matching the same path regex the relevance gate uses), largest first, and lists every other changed file by name only. A non-security file's patch no longer bloats the prompt (e.g. a workflow/test-only PR drops from ~22 KB to a few hundred bytes). Also stop instructing the agent to re-fetch the entire PR diff on truncation: security-relevant patches are shown first, so it should only fetch a still-missing security-relevant file via get_pull_request_diff. Prompt copy and the truncation note updated to match. Recompiled the lock (security-relevant patch prioritization in the pr-diff step); the COPILOT_DUMMY_BYOK placeholder fix from #5306 and the gh-aw-mcpg image pin are preserved. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security-guard): address review feedback on diff scope and wording --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Uh oh!
There was an error while loading. Please reload this page.