Fix GH_AW_BIN detection failure under bash -e/pipefail#28339
Conversation
The `GH_AW_BIN=$(which gh-aw 2>/dev/null || find ...)` pattern fails under
`bash -e` because `which` exits with 1 when the binary is not on PATH,
potentially aborting the script before the `find` fallback runs. Also,
`find ... | head -1` with `set -o pipefail` can fail due to broken pipe.
Replace the single-line compound command with explicit sequential steps
using `|| true` to prevent errexit from aborting on failure:
GH_AW_BIN=\"\"
GH_AW_BIN=$(which gh-aw 2>/dev/null) || true
if [ -z \"$GH_AW_BIN\" ]; then
GH_AW_BIN=$(find \"${HOME}/.local/share/gh/extensions/gh-aw\" ...) || true
fi
Changes:
- pkg/workflow/mcp_setup_generator.go: Fix compiled lock file generation
- .github/workflows/shared/mcp/gh-aw.md: Fix shared MCP component
- pkg/workflow/testdata/.../smoke-copilot.golden: Update golden file
- .github/workflows/*.lock.yml: Recompiled with updated logic
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a3614c93-5459-43c4-b62e-144ddc1f9a2f
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
|
Hey A few things to address before this is ready for review:
If you'd like a hand finishing this up, here's a ready-to-use agent prompt:
|
There was a problem hiding this comment.
Pull request overview
Fixes gh-aw binary detection in generated workflow steps so jobs don’t fail under GitHub Actions’ default bash -e + pipefail behavior when which returns non-zero or when find | head triggers a broken pipe.
Changes:
- Updates the MCP setup generator to emit multi-line,
|| true-guarded gh-aw binary detection logic. - Applies the same detection logic to the shared
shared/mcp/gh-aw.mdcomponent. - Recompiles golden/lock workflow artifacts to reflect the new generated script.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/mcp_setup_generator.go | Updates code generation for the gh-aw install step to avoid errexit/pipefail aborts during binary detection. |
| .github/workflows/shared/mcp/gh-aw.md | Updates the shared workflow component with the same safer binary detection logic. |
| pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden | Updates golden fixture output to match the new generated bash snippet. |
| .github/workflows/workflow-normalizer.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/weekly-blog-post-writer.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/static-analysis-report.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/smoke-copilot.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/smoke-copilot-arm.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/smoke-claude.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/security-review.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/safe-output-health.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/q.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/python-data-charts.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/prompt-clustering-analysis.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/metrics-collector.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/mcp-inspector.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/example-workflow-analyzer.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/dev-hawk.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/deep-report.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/daily-safe-output-optimizer.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/daily-rendering-scripts-verifier.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/daily-observability-report.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet (plus regenerated heredoc delimiters). |
| .github/workflows/daily-integrity-analysis.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/daily-firewall-report.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/daily-cli-tools-tester.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/copilot-token-audit.lock.yml | Recompiled lock workflow (string run: form) with updated gh-aw binary detection snippet. |
| .github/workflows/cloclo.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/aw-failure-investigator.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/audit-workflows.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/api-consumption-report.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/agentic-optimization-kit.lock.yml | Recompiled lock workflow (string run: form) with updated gh-aw binary detection snippet. |
| .github/workflows/agentic-observability-kit.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/agent-persona-explorer.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
| .github/workflows/agent-performance-analyzer.lock.yml | Recompiled lock workflow with updated gh-aw binary detection snippet. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 34/34 changed files
- Comments generated: 2
| yaml.WriteString(" GH_AW_BIN=\"\"\n") | ||
| yaml.WriteString(" GH_AW_BIN=$(which gh-aw 2>/dev/null) || true\n") | ||
| yaml.WriteString(" if [ -z \"$GH_AW_BIN\" ]; then\n") | ||
| yaml.WriteString(" GH_AW_BIN=$(find \"${HOME}/.local/share/gh/extensions/gh-aw\" -name 'gh-aw' -type f 2>/dev/null | head -1) || true\n") | ||
| yaml.WriteString(" fi\n") |
There was a problem hiding this comment.
GH_AW_BIN detection still relies on which, which is not guaranteed to be available in minimal runner/container images. In other parts of the generated workflows you already use which ... || command -v ..., so consider switching this to command -v gh-aw (or which ... || command -v ...) to make detection work even when which is missing.
| mkdir -p "${RUNNER_TEMP}/gh-aw" | ||
| GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) | ||
| GH_AW_BIN="" | ||
| GH_AW_BIN=$(which gh-aw 2>/dev/null) || true |
There was a problem hiding this comment.
This step uses which gh-aw to detect the binary. which is not always installed (especially in minimal/container environments), so the detection can still fail even if gh-aw is on $PATH. Prefer command -v gh-aw (or which ... || command -v ...) to make this more robust.
| GH_AW_BIN=$(which gh-aw 2>/dev/null) || true | |
| GH_AW_BIN=$(command -v gh-aw 2>/dev/null) || true |
There was a problem hiding this comment.
The smoke test agent agrees — command -v is the right choice here over which. This is now addressed in the PR. 🤖✅
📰 BREAKING: Report filed by Smoke Copilot · ● 726.3K
|
Review all comments, merge main, and recompile. @copilot. |
…py-logic-failure # Conflicts: # .github/workflows/daily-observability-report.lock.yml Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
which is not guaranteed to be available in all environments; command -v is a POSIX built-in that works even in minimal containers. Also merge main and recompile all lock files. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/7359daa4-8762-402c-90de-1185310c3f6b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in a1cffe3: switched Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
|
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
|
|
🚀 Smoke OpenCode MISSION COMPLETE! OpenCode delivered. 🔥 |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 11/12 tools available Overall Status: FAIL —
|
Smoke Test
Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "ab.chatgpt.com"
- "chatgpt.com"See Network Configuration for more information.
|
|
Smoke Test Results (run §24913976862)\n\n@pelikhan
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Smoke test review of PR #28339. The binary detection fix is correct and addresses the bash -e/pipefail reliability issue. Two inline comments left on specific lines. Overall the approach is solid.
📰 BREAKING: Report filed by Smoke Copilot · ● 726.3K
|
Commit pushed:
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal! Run 24913976844 — Claude engine validation complete.
💥 [THE END] — Illustrated by Smoke Claude · ● 178K
| GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1) | ||
| GH_AW_BIN="" | ||
| GH_AW_BIN=$(command -v gh-aw 2>/dev/null) || true | ||
| if [ -z "$GH_AW_BIN" ]; then |
There was a problem hiding this comment.
🔍 Smoke test review comment #1 — The binary detection fallback using command -v gh-aw followed by a find fallback looks correct and robust. Good use of POSIX-compatible command -v over which. Run 24913976844.
| GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| name: Install gh-aw extension | ||
| run: "# Install gh-aw if not already available\nif ! gh aw --version >/dev/null 2>&1; then\n echo \"Installing gh-aw extension...\"\n curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash\nfi\ngh aw --version\n# Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization\nmkdir -p \"${RUNNER_TEMP}/gh-aw\"\nGH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1)\nif [ -n \"$GH_AW_BIN\" ] && [ -f \"$GH_AW_BIN\" ]; then\n cp \"$GH_AW_BIN\" \"${RUNNER_TEMP}/gh-aw/gh-aw\"\n chmod +x \"${RUNNER_TEMP}/gh-aw/gh-aw\"\n echo \"Copied gh-aw binary to ${RUNNER_TEMP}/gh-aw/gh-aw\"\nelse\n echo \"::error::Failed to find gh-aw binary for MCP server\"\n exit 1\nfi\n" | ||
| run: "# Install gh-aw if not already available\nif ! gh aw --version >/dev/null 2>&1; then\n echo \"Installing gh-aw extension...\"\n curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash\nfi\ngh aw --version\n# Copy the gh-aw binary to ${RUNNER_TEMP}/gh-aw for MCP server containerization\nmkdir -p \"${RUNNER_TEMP}/gh-aw\"\nGH_AW_BIN=\"\"\nGH_AW_BIN=$(command -v gh-aw 2>/dev/null) || true\nif [ -z \"$GH_AW_BIN\" ]; then\n GH_AW_BIN=$(find \"${HOME}/.local/share/gh/extensions/gh-aw\" -name 'gh-aw' -type f 2>/dev/null | head -1) || true\nfi\nif [ -n \"$GH_AW_BIN\" ] && [ -f \"$GH_AW_BIN\" ]; then\n cp \"$GH_AW_BIN\" \"${RUNNER_TEMP}/gh-aw/gh-aw\"\n chmod +x \"${RUNNER_TEMP}/gh-aw/gh-aw\"\n echo \"Copied gh-aw binary to ${RUNNER_TEMP}/gh-aw/gh-aw\"\nelse\n echo \"::error::Failed to find gh-aw binary for MCP server\"\n exit 1\nfi\n" |
There was a problem hiding this comment.
🔍 Smoke test review comment #2 — The single-line run script has been correctly updated to initialize GH_AW_BIN="" before attempting detection, preventing potential issues with unbound variables in strict shell environments. Run 24913976844.
The "Install gh-aw extension" step in compiled lock files fails with
Failed to find gh-aw binary for MCP servereven when the binary is installed, becausegh-awis a gh extension (not on$PATH) and the single-line||fallback is unreliable underbash -e+set -o pipefail.Changes
pkg/workflow/mcp_setup_generator.go— fix the code generator that emits the binary detection logic into compiled lock files.github/workflows/shared/mcp/gh-aw.md— same fix in the shared component used by workflows withimports: uses: shared/mcp/gh-aw.mdsmoke-copilot.golden+ lock files — recompiled to reflect the updated logicBefore:
GH_AW_BIN=$(which gh-aw 2>/dev/null || find ~/.local/share/gh/extensions/gh-aw -name 'gh-aw' -type f 2>/dev/null | head -1)After:
The
|| trueguards ensure a non-zero exit from binary lookup and a broken-pipe fromfind | head -1don't abort the step under errexit/pipefail.command -v(a POSIX shell built-in) is used instead ofwhichso detection works even in minimal container environments wherewhichmay not be installed.Changeset
gh-awbinary detection in generated MCP setup steps so runs do not fail underbash -eandset -o pipefailwhen the extension binary is installed outside$PATH.Warning
Firewall blocked 2 domains
The following domains were blocked by the firewall during workflow execution:
ab.chatgpt.comchatgpt.comSee Network Configuration for more information.
✨ PR Review Safe Output Test - Run 24913976844