Run safe-outputs MCP in the gh-aw node container#39100
Conversation
Co-authored-by: pelikhan <[email protected]>
|
💫 TO BE CONTINUED... Smoke Claude failed to deliver outputs! Our hero faces unexpected challenges... |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
❌ Design Decision Gate 🏗️ failed to deliver outputs during design decision gate check. |
|
🧪 Test Quality Sentinel completed test quality analysis. |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
|
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🌑 The shadows whisper... Smoke Codex failed to deliver outputs. The oracle requires further meditation... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
This comment has been minimized.
This comment has been minimized.
|
|
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
💫 TO BE CONTINUED... Smoke Claude failed to deliver outputs! Our hero faces unexpected challenges... |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke test: PASS\n- [39555] chore(deps): bump dompurify from 3.4.0 to 3.4.10 in /docs in the npm_and_yarn group across 1 directory ✅\n- [39550] [spec-enforcer] Enforce specifications for cli, console, constants ✅\n- Overall status: PASS Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
🧪 Smoke Test: Claude — Run 27630426713Core #1-12: 1✅ 2✅ 3✅ 4✅ 5✅ 6✅ 7✅ 8✅ 9✅ 10✅ 11✅ 12✅ Overall: PARTIAL — push_to_pull_request_branch failed (infra limitation), #19 skipped. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · 80.6 AIC · ⌖ 30.4 AIC · ⊞ 8.1K
| @@ -0,0 +1,5 @@ | |||
| --- | |||
There was a problem hiding this comment.
Smoke test review: consider clarifying the changeset summary headline here.
| @@ -0,0 +1,5 @@ | |||
| --- | |||
| "gh-aw": patch | |||
| --- | |||
There was a problem hiding this comment.
Smoke test review: ensure this line documents the container behavior change.
Overall status: FAIL
|
|
PR: Run safe-outputs MCP in the gh-aw node container Warning Firewall blocked 5 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
…config PR #39100 introduced the containerized stdio transport for safeoutputs but hardcoded ${GITHUB_WORKSPACE}/actions/setup/js/safe_outputs_mcp_server.cjs as the entrypoint. This path only exists in the gh-aw repo's own workspace. For consumer repos (e.g. github-automation), GITHUB_WORKSPACE is that repo's checkout which does not contain actions/setup/js/. The gateway container gets MODULE_NOT_FOUND, crashes with EOF on initialize, and registers 0 tools. The agent then spends ~30 minutes trying to discover the tool schema before failing. Fix: use ${RUNNER_TEMP}/gh-aw/safeoutputs/safe_outputs_mcp_server.cjs — setup.sh already copies the file there and that directory is mounted rw. Recompile all 249 lock files. Observed in: https://github.com/github/github-automation/actions/runs/27647012218
…39689) * fix: restore MCP CLI concept explanation and fix safeoutputs framing (#39684) - Restore concept explanation to mcp_cli_tools_prompt.md that was stripped by PR #36778: servers are CLI executables on PATH, not MCP tools; include usage example and JSON stdin mode - Fix safe_outputs_prompt.md line 2: 'safeoutputs MCP server tools' → 'safeoutputs CLI tool' to match the CLI framing - Update prompts.go comment to match * fix: use RUNNER_TEMP path for safe_outputs_mcp_server.cjs in gateway config PR #39100 introduced the containerized stdio transport for safeoutputs but hardcoded ${GITHUB_WORKSPACE}/actions/setup/js/safe_outputs_mcp_server.cjs as the entrypoint. This path only exists in the gh-aw repo's own workspace. For consumer repos (e.g. github-automation), GITHUB_WORKSPACE is that repo's checkout which does not contain actions/setup/js/. The gateway container gets MODULE_NOT_FOUND, crashes with EOF on initialize, and registers 0 tools. The agent then spends ~30 minutes trying to discover the tool schema before failing. Fix: use ${RUNNER_TEMP}/gh-aw/safeoutputs/safe_outputs_mcp_server.cjs — setup.sh already copies the file there and that directory is mounted rw. Recompile all 249 lock files. Observed in: https://github.com/github/github-automation/actions/runs/27647012218 * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <[email protected]> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <[email protected]> * fix: update integration tests for RUNNER_TEMP safeoutputs path * commit tweaks * fix: update remaining tests for RUNNER_TEMP safeoutputs path --------- Co-authored-by: Copilot Autofix powered by AI <[email protected]>
This changes safe-outputs from a separately started HTTP sidecar into a first-class MCP server entry. The generated workflow now runs safe-outputs inside the
gh-aw-nodecontainer with write access to the workspace, safe-outputs runtime files, and the safe-outputs log directory.What changed
ghcr.io/github/gh-aw-node.${RUNNER_TEMP}/gh-aw/safeoutputs/tmp/gh-aw/mcp-logs/safeoutputsWorkflow generation
config.json,tools.json) but made those files inputs to the MCP container instead of a host-side server process.MCP server model
Generated shape
{ "safeoutputs": { "container": "ghcr.io/github/gh-aw-node", "mounts": [ "${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw", "${RUNNER_TEMP}/gh-aw/safeoutputs:${RUNNER_TEMP}/gh-aw/safeoutputs:rw", "/tmp/gh-aw/mcp-logs/safeoutputs:/tmp/gh-aw/mcp-logs/safeoutputs:rw" ], "args": ["-w", "${GITHUB_WORKSPACE}"] } }Related updates
Changeset\n\n- Type: patch\n- Description: Run safe-outputs as a containerized MCP server inside the runtime instead of a separate HTTP sidecar.
✨ PR Review Safe Output Test - Run 27471836462
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.
✨ PR Review Safe Output Test - Run 27515525875
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.
✨ PR Review Safe Output Test - Run 27630426713
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.comSee Network Configuration for more information.