fix: revert sandbox.agent.sudo to true in glossary-maintainer workflow#41426
Merged
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Debug workflow failure for glossary maintainer
fix: revert sandbox.agent.sudo to true in glossary-maintainer workflow
Jun 25, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request restores the Glossary Maintainer agentic workflow’s ability to run successfully by reverting it back to sudo-enabled sandbox execution, and recompiling the generated workflow lockfile so the runtime wiring matches the restored sandbox mode.
Changes:
- Revert
sandbox.agent.sudofromfalsetotrueinglossary-maintainer.md. - Recompile
glossary-maintainer.lock.yml, restoring the sudo-based AWF invocation (including host-access flags) and the firewall log permission fix-up to prevent artifact uploadEACCES.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/glossary-maintainer.md | Re-enables sandbox.agent.sudo: true for the workflow’s sandboxed agent execution. |
| .github/workflows/glossary-maintainer.lock.yml | Updates the compiled workflow to match sudo mode (AWF install/run flags, MCP gateway networking, and firewall log chmod before artifact upload). |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 0
This was referenced Jun 25, 2026
This was referenced Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit
44bc1b75("chore: set sandbox.agent.sudo: false on 30% of agentic workflows") broke the Glossary Maintainer workflow — the agent step failed with exit code 1 and artifact upload failed withEACCESon firewall log files.What broke in non-sudo mode
sudo -E awf ... --enable-host-access --allow-host-ports 80,443,8080 --difc-proxy-host host.docker.internal:18443→awf ... --difc-proxy-host awmg-cli-proxy:18443, changing the firewall network topology and causing agent startup failure.sudo chmod -R a+rX /tmp/gh-aw/sandbox/firewallstep was removed. Firewall Docker containers still write root-owned files to the host volume, so the runner user hitsEACCESwhen the artifact upload tries to zip them.Fix
Reverts
sandbox.agent.sudo: false → trueinglossary-maintainer.mdand recompiles. This restoressudo -E awfwith the correct host-access flags and thechmodpermission-fix step.