fix: raise security-guard turn budget to avoid hard-cap 403#5484
Open
lpcox wants to merge 1 commit into
Open
Conversation
The Security Guard agent runs with max-turns: 6, which compiles to the api-proxy hard cap maxRuns: 6. A real security review of a PR diff exhausts that budget mid-task; the api-proxy then returns HTTP 403, which the Copilot CLI surfaces as a non-retryable "authentication_failed" error and the agent job fails (see #5483, run 28107226319: 136.1k tokens used, +0/-0 changes before the 403). Raise max-turns to 12 (in line with peer agentic workflows: 8-10) so a review can complete without tripping the proxy run cap. Recompiled the lock file and updated the pinned assertions in security-guard-workflow.test.ts. Fixes #5483 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
Contributor
There was a problem hiding this comment.
Pull request overview
Increases the Security Guard agentic workflow turn budget to prevent the api-proxy maxRuns hard-cap from aborting mid-review with a non-retryable HTTP 403 (as seen in #5483).
Changes:
- Raised
max-turnsin.github/workflows/security-guard.mdfrom 6 → 12. - Regenerated
.github/workflows/security-guard.lock.ymlsoapiProxy.maxRunsandGH_AW_MAX_TURNSmatch the new limit (12). - Updated
scripts/ci/security-guard-workflow.test.tsassertions to reflect the new turn budget.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/security-guard.md |
Bumps workflow max-turns to 12 to allow longer security reviews to complete. |
.github/workflows/security-guard.lock.yml |
Updates compiled lock output (maxRuns + GH_AW_MAX_TURNS) to 12 to match the source workflow. |
scripts/ci/security-guard-workflow.test.ts |
Updates pinned string assertions for the new max-turns / GH_AW_MAX_TURNS value. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses #5483 — an auto-generated "Security Guard failed" report for run
28107226319.The Security Guard agentic workflow runs with
max-turns: 6, which compiles to the api-proxy hard capmaxRuns: 6. A genuine security review of a PR diff exhausts that 6-call budget mid-task; the api-proxy then returns HTTP 403, which the Copilot CLI surfaces as a non-retryableauthentication_failederror, failing theagentjob.Evidence from the failing run
Authentication failed with provider at http://172.30.0.30:10002 (HTTP 403)(port 10002 = Copilot api-proxy endpoint).failureClass=authentication_failed, first-attempt → non-retryable.git log, inspecting the diff) when it died: 136.1k tokens used (105.1k cached),+0 -0changes — it never got to post its review.apiProxy: { maxRuns: 6, maxCacheMisses: 5, ... }.Fix
Raise
max-turnsfrom6→12, in line with peer agentic workflows in this repo (doc-maintainer 8, red-team 8, smoke-claude 8, firewall-issue-dispatcher 10). This gives a review enough model round-trips to complete without tripping the proxy run cap.Changes
.github/workflows/security-guard.md—max-turns: 6→12.github/workflows/security-guard.lock.yml— recompiled (maxRuns/GH_AW_MAX_TURNS→ 12); post-processedscripts/ci/security-guard-workflow.test.ts— updated pinned assertionsTesting
npx jest scripts/ci/security-guard-workflow.test.ts→ 2 passed.Fixes #5483
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com