Add CI repro test for GH_HOST proxy/PR checkout mismatch (issue #23461)#23496
Add CI repro test for GH_HOST proxy/PR checkout mismatch (issue #23461)#23496
Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/9265dc70-a8c3-4f92-b400-21c19ea7ce36 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/9265dc70-a8c3-4f92-b400-21c19ea7ce36 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/9265dc70-a8c3-4f92-b400-21c19ea7ce36 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds a CI repro to capture the gh pr checkout failure mode when GH_HOST is rewritten to a local proxy host that does not match any configured git remote (issue #23461).
Changes:
- Adds a new CI job
sh-gh-host-pr-checkout-reprothat starts a local HTTP server, setsGH_HOSTviaconfigure_gh_for_ghe.sh, and runsgh pr checkoutexpecting failure. - Updates several smoke
*.lock.ymlworkflow prompts to include additional safe-output tools (Slack/Notion/label-related).
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/ci.yml | Adds the new GH_HOST/PR checkout repro CI job. |
| .github/workflows/smoke-copilot.lock.yml | Adds send_slack_message to the safe-output tools list in the compiled workflow. |
| .github/workflows/smoke-copilot-arm.lock.yml | Adds send_slack_message to the safe-output tools list in the compiled workflow. |
| .github/workflows/smoke-codex.lock.yml | Adds add_smoked_label to the safe-output tools list in the compiled workflow. |
| .github/workflows/smoke-claude.lock.yml | Adds post_slack_message to the safe-output tools list in the compiled workflow. |
| .github/workflows/mcp-inspector.lock.yml | Adds notion_add_comment and post_to_slack_channel to the safe-output tools list in the compiled workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <safe-output-tools> | ||
| Tools: add_comment(max:2), create_issue, create_discussion, create_pull_request_review_comment(max:5), submit_pull_request_review, reply_to_pull_request_review_comment(max:5), add_labels, remove_labels, set_issue_type, dispatch_workflow, missing_tool, missing_data, noop | ||
| Tools: add_comment(max:2), create_issue, create_discussion, create_pull_request_review_comment(max:5), submit_pull_request_review, reply_to_pull_request_review_comment(max:5), add_labels, remove_labels, set_issue_type, dispatch_workflow, missing_tool, missing_data, noop, send_slack_message | ||
| </safe-output-tools> |
There was a problem hiding this comment.
This PR also updates multiple *.lock.yml workflows to add new safe-output tools (e.g., send_slack_message, post_slack_message, notion_add_comment, etc.), but the PR description only mentions adding the new CI repro job. Please either mention these lockfile tool-list changes in the PR description or split them into a separate PR so the review intent is clear.
.github/workflows/ci.yml
Outdated
| echo "✅ gh pr checkout failed as expected (different error, proxy host rejected)" | ||
| echo " Error: ${error_output}" |
There was a problem hiding this comment.
The repro job currently treats any non-zero exit from gh pr checkout as a pass (it prints a ✅ even when the expected GH_HOST/remote mismatch string is not present). That means the job can succeed for unrelated failures (e.g., auth/gh CLI changes) and would no longer specifically reproduce issue #23461 as described. Consider failing the step unless the output matches the expected message (ideally the full string from the PR description) so the job asserts the exact failure mode.
| echo "✅ gh pr checkout failed as expected (different error, proxy host rejected)" | |
| echo " Error: ${error_output}" | |
| echo "❌ gh pr checkout failed, but not with the expected GH_HOST/git remote mismatch error" | |
| echo " Unexpected error output: ${error_output}" | |
| exit 1 |
.github/workflows/ci.yml
Outdated
| # This is the "local proxy" referenced in the repro scenario for issue #23461: | ||
| # a server IS running on the proxy host, but git remotes still point to the real | ||
| # GitHub host, causing `gh pr checkout` to fail. | ||
| python3 -m http.server 19443 --directory /tmp >/tmp/local-proxy.log 2>&1 & |
There was a problem hiding this comment.
python3 -m http.server binds to all interfaces by default. Since this is intended to simulate a localhost-only proxy, bind explicitly to 127.0.0.1 (e.g., via --bind) to avoid exposing an unnecessary listener on the runner network surface.
| python3 -m http.server 19443 --directory /tmp >/tmp/local-proxy.log 2>&1 & | |
| python3 -m http.server 19443 --bind 127.0.0.1 --directory /tmp >/tmp/local-proxy.log 2>&1 & |
|
@copilot Review comments |
…nrelated lock files Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0ea2e001-41fa-4d3b-9ef9-c5e4ffb35a39 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Addressed all three review comments in d53756f:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
| echo "4. \`gh pr checkout\` fails because no git remote matches \`GH_HOST\`" >> $GITHUB_STEP_SUMMARY | ||
| echo "" >> $GITHUB_STEP_SUMMARY | ||
| echo "The existing \`sh-difc-proxy\` job uses the full Docker-based DIFC proxy; this job" >> $GITHUB_STEP_SUMMARY | ||
| echo "provides a lightweight local-proxy repro that does not require Docker." >> $GITHUB_STEP_SUMMARY |
There was a problem hiding this comment.
Consider adding a brief explanation of why the GH_HOST mismatch error is the specific failure mode to reproduce — a one-liner comment would help future readers understand the assertion intent at a glance.
| echo "2. \`gh\` CLI calls are routed through the proxy (\`GH_HOST=localhost:18443\`)" >> $GITHUB_STEP_SUMMARY | ||
| echo "3. \`actions/github-script\` sees the proxy env (\`GH_HOST=localhost:18443\`)" >> $GITHUB_STEP_SUMMARY | ||
| echo "4. \`stop_difc_proxy.sh\` stops the proxy container" >> $GITHUB_STEP_SUMMARY | ||
|
|
There was a problem hiding this comment.
The job name clearly maps to the issue — good approach for traceability. Consider linking the issue number in the name: field or a comment so it survives future renames of the issue reference.
|
@copilot review failure |
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/04832645-231c-4210-a360-c7fe1535843d Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in 7e45cef. The root cause: The fix replaces the |
When a DIFC-style proxy rewrites
GH_HOSTto a localhost address,gh pr checkoutfails immediately because no git remote matches the proxy host — the error never reaches the API layer.Changes
sh-gh-host-pr-checkout-repro— lightweight repro that does not require Docker, unlike the existingsh-difc-proxyjob:localhost:19443as the local proxyconfigure_gh_for_ghe.shwithGITHUB_SERVER_URL=http://localhost:19443to setGH_HOST=localhost:19443via$GITHUB_ENV, matching how a real proxy-rewritten environment looksgh pr checkout 1and asserts it exits non-zero with"none of the git remotes configured for this repository correspond to the GH_HOST environment variable"— confirming the exact failure mode from the issuePR #1 is used intentionally — the failure occurs at remote-validation time, before
ghcontacts any API endpoint, so the PR number is irrelevant to the repro.✨ PR Review Safe Output Test - Run 23723404384