Skip to content

Commit 537a65e

Browse files
docs: unbloat debugging.md (48% line reduction) (#34261)
1 parent d5b308d commit 537a65e

1 file changed

Lines changed: 44 additions & 210 deletions

File tree

docs/src/content/docs/troubleshooting/debugging.md

Lines changed: 44 additions & 210 deletions
Original file line numberDiff line numberDiff line change
@@ -12,103 +12,38 @@ This guide shows you how to debug agentic workflow failures on **github.com** us
1212
1313
## Debugging with the Copilot CLI
1414

15-
The Copilot CLI can audit logs, trace failures, and suggest fixes interactively. This is the recommended first step for any workflow failure.
15+
The Copilot CLI is the recommended first step: it audits logs, traces failures, and suggests fixes interactively.
1616

17-
### Step 1: Launch the Copilot CLI
18-
19-
```bash
20-
copilot
21-
```
22-
23-
### Step 2: Load the Agentic Workflows Agent
24-
25-
Once inside the Copilot CLI, run:
26-
27-
```text
28-
/agent
29-
```
30-
31-
Select **agentic-workflows** from the list. This gives Copilot access to the `gh aw audit`, `gh aw logs`, and other debugging tools.
32-
33-
### Step 3: Ask Copilot to Debug the Failure
34-
35-
Paste the failing run URL and ask Copilot to investigate:
17+
Launch `copilot`, run `/agent` and select **agentic-workflows** to enable `gh aw audit`, `gh aw logs`, and related debugging tools. Then paste the failing run URL:
3618

3719
```text
3820
Debug this workflow run: https://github.com/OWNER/REPO/actions/runs/RUN_ID
3921
```
4022

41-
Copilot will:
23+
Copilot downloads the logs, identifies the root cause (missing tools, permission errors, network blocks), and suggests fixes or opens a PR. Follow-up questions like "What domains were blocked?" or "Why did the MCP server fail?" work too.
4224

43-
- Download and audit the run logs
44-
- Identify the root cause (missing tools, permission errors, network blocks, etc.)
45-
- Suggest targeted fixes or open a pull request with the fix
25+
### Alternative entry points
4626

47-
You can also ask follow-up questions:
27+
- **Copilot Chat on GitHub.com** (requires [agentic authoring setup](/gh-aw/guides/agentic-authoring/)): `/agent agentic-workflows debug <run-url>`
28+
- **Any coding agent**: paste this prompt to install `gh aw` and run the standalone analysis:
4829

49-
```text
50-
What domains were blocked by the firewall?
51-
Show me the safe-outputs from this run.
52-
Why did the MCP server fail to connect?
53-
```
54-
55-
### Alternative: Copilot Chat on GitHub.com
30+
```text
31+
Debug this workflow run using https://raw.githubusercontent.com/github/gh-aw/main/debug.md
5632
57-
If your repository is [configured for agentic authoring](/gh-aw/guides/agentic-authoring/), you can use Copilot Chat directly on GitHub.com:
58-
59-
```text
60-
/agent agentic-workflows debug https://github.com/OWNER/REPO/actions/runs/RUN_ID
61-
```
62-
63-
### Alternative: Any Coding Agent
64-
65-
For coding agents that don't have the agentic-workflows agent pre-configured, use the standalone debug prompt:
66-
67-
```text
68-
Debug this workflow run using https://raw.githubusercontent.com/github/gh-aw/main/debug.md
69-
70-
The failed workflow run is at https://github.com/OWNER/REPO/actions/runs/RUN_ID
71-
```
72-
73-
The agent will install `gh aw`, analyze logs, identify the root cause, and suggest a fix.
33+
The failed workflow run is at https://github.com/OWNER/REPO/actions/runs/RUN_ID
34+
```
7435

7536
## Debugging with CLI Commands
7637

7738
### Auditing a Specific Run
7839

79-
`gh aw audit` gives a comprehensive breakdown of a single run — overview, metrics, tool usage, MCP failures, firewall analysis, behavior fingerprint, and artifacts:
40+
`gh aw audit` breaks down a single run — failure analysis and root cause, behavior fingerprint (network/tool/cost profile), tool usage, MCP server status, firewall analysis, token/cost metrics, and safe-outputs. Accepts a run ID, run URL, job URL (extracts first failing step), or step URL.
8041

8142
```bash
82-
# By run ID
8343
gh aw audit 12345678
84-
85-
# By full URL
86-
gh aw audit https://github.com/OWNER/REPO/actions/runs/12345678
87-
88-
# By job URL (extracts first failing step)
89-
gh aw audit https://github.com/OWNER/REPO/actions/runs/123/job/456
90-
91-
# By step URL (extracts a specific step)
9244
gh aw audit https://github.com/OWNER/REPO/actions/runs/123/job/456#step:7:1
93-
94-
# Parse to markdown for sharing
95-
gh aw audit 12345678 --parse
96-
```
97-
98-
Audit output includes:
99-
100-
- **Failure analysis** with error summary and root cause
101-
- **Behavior fingerprint** — multi-dimensional characterization of the run's network, tool, and cost profile
102-
- **Tool usage** — which tools were called, which failed, and why
103-
- **MCP server status** — connection failures, timeout errors, and per-server health
104-
- **Firewall analysis** — blocked domains, allowed traffic, and policy attribution
105-
- **Token/cost metrics** — per-run inference spend and token usage
106-
- **Safe-outputs** — structured outputs the agent produced
107-
108-
To compare behavior between two runs and detect regressions across firewall, MCP, and metrics dimensions, pass multiple run IDs directly to `audit`:
109-
110-
```bash
111-
gh aw audit 12345678 12345679
45+
gh aw audit 12345678 --parse # parse to markdown
46+
gh aw audit 12345678 12345679 # compare two runs
11247
gh aw audit 12345678 12345679 --format markdown
11348
```
11449

@@ -123,217 +58,116 @@ See [Audit Commands](/gh-aw/reference/audit/) for complete flag documentation.
12358

12459
### Analyzing Workflow Logs
12560

126-
`gh aw logs` downloads and analyzes logs across multiple runs with tool usage, network patterns, errors, and warnings:
61+
`gh aw logs` downloads and analyzes logs across multiple runs (tool usage, network patterns, errors). Results are cached for 10–100× speedup on later runs.
12762

12863
```bash
129-
# Download logs for a workflow
13064
gh aw logs my-workflow
131-
132-
# Filter by count and date range
133-
gh aw logs my-workflow -c 10 --start-date -1w
134-
135-
# Include firewall analysis
136-
gh aw logs my-workflow --firewall
137-
138-
# Include safe-output details
139-
gh aw logs my-workflow --safe-output
140-
141-
# JSON output for scripting
142-
gh aw logs my-workflow --json
65+
gh aw logs my-workflow -c 10 --start-date -1w # filter by count and date
66+
gh aw logs my-workflow --firewall # include firewall analysis
67+
gh aw logs my-workflow --safe-output # include safe-output details
68+
gh aw logs my-workflow --json # JSON for scripting
14369
```
14470

145-
Results are cached locally for 10–100× speedup on subsequent runs.
146-
14771
### Checking Workflow Health
14872

149-
`gh aw health` gives a quick overview of workflow status across all workflows in a repository:
150-
151-
```bash
152-
gh aw health
153-
```
73+
`gh aw health` reports workflow status across all workflows in a repository.
15474

15575
### Inspecting MCP Configuration
15676

15777
If you suspect MCP server issues, inspect the compiled configuration:
15878

15979
```bash
160-
# List all workflows with MCP servers
161-
gh aw mcp list
162-
163-
# Inspect MCP servers for a specific workflow
164-
gh aw mcp inspect my-workflow
165-
166-
# Open the web-based MCP inspector
167-
gh aw mcp inspect my-workflow --inspector
80+
gh aw mcp list # list workflows with MCP servers
81+
gh aw mcp inspect my-workflow # inspect a workflow
82+
gh aw mcp inspect my-workflow --inspector # web-based inspector
16883
```
16984

17085
## Common Errors
17186

17287
### "Authentication failed"
17388

174-
```text
175-
Error: Authentication failed
176-
Your GitHub token may be invalid, expired, or lacking the required permissions.
177-
```
178-
179-
**Cause**: The Copilot token is missing, expired, or lacks required permissions.
180-
181-
**Fix**:
182-
183-
1. Verify you have an active Copilot subscription
184-
2. Check that the token has the **Copilot Requests** permission (for fine-grained PATs)
185-
3. If using a custom `COPILOT_GITHUB_TOKEN`, verify it's valid:
186-
187-
```bash
188-
gh auth status
189-
```
190-
191-
4. See [Authentication Reference](/gh-aw/reference/auth/) for token setup details
89+
The Copilot token is missing, expired, or lacks the required permissions. Confirm you have an active Copilot subscription, that the token has **Copilot Requests** permission (fine-grained PATs), and that `gh auth status` reports it valid. See [Authentication Reference](/gh-aw/reference/auth/).
19290

19391
### "Tool not found" or Missing Tool Calls
19492

195-
**Cause**: The workflow references a tool that isn't configured or the MCP server failed to connect.
196-
197-
**Fix**:
198-
199-
1. Run `gh aw mcp inspect my-workflow` to verify tool configuration
200-
2. Check that the MCP server version is compatible
201-
3. Ensure `tools:` section in frontmatter includes the required tool
202-
4. Run `gh aw audit <run-id>` to see which tools were available vs. requested
93+
The workflow references a tool that isn't configured or the MCP server failed to connect. Verify the `tools:` section in frontmatter, check the MCP server version, then run `gh aw mcp inspect my-workflow` and `gh aw audit <run-id>` to compare available vs. requested tools.
20394

20495
### Network / Firewall Blocks
20596

20697
```text
20798
DENIED CONNECT registry.npmjs.org:443
20899
```
209100

210-
**Cause**: The agent tried to reach a domain not in the firewall allow-list.
211-
212-
**Fix**: Add the domain to the `network.allowed` list in your workflow frontmatter:
101+
The agent reached a domain outside the firewall allow-list. Add it explicitly, or use an ecosystem shorthand:
213102

214103
```aw
215104
network:
216105
allowed:
217106
- defaults
107+
- node # npm, yarn, pnpm registries
108+
- python # PyPI, conda registries
218109
- registry.npmjs.org
219110
```
220111

221-
Or use an ecosystem shorthand:
222-
223-
```aw
224-
network:
225-
allowed:
226-
- defaults
227-
- node # Adds npm, yarn, pnpm registries
228-
- python # Adds PyPI, conda registries
229-
```
230-
231112
See [Network Configuration](/gh-aw/guides/network-configuration/) for common domain configurations.
232113

233114
### Safe-Outputs Not Creating Issues / Comments
234115

235-
**Cause**: The safe-outputs job failed, the agent didn't produce the expected output, or permissions are missing.
236-
237-
**Fix**:
238-
239-
1. Run `gh aw audit <run-id>` and check the safe-outputs section
240-
2. See [Safe Outputs Reference](/gh-aw/reference/safe-outputs/) for configuration details
116+
The safe-outputs job failed, the agent didn't produce the expected output, or permissions are missing. Inspect the safe-outputs section in `gh aw audit <run-id>` and review the [Safe Outputs Reference](/gh-aw/reference/safe-outputs/).
241117

242118
### Compilation Errors
243119

244-
**Cause**: The workflow frontmatter has schema validation errors or unsupported fields.
245-
246-
**Fix**:
120+
The frontmatter has schema validation errors or unsupported fields. Use `--verbose` to diagnose, `gh aw fix --write` to auto-correct, and `--validate` to check without writing the lock file. See [Error Reference](/gh-aw/troubleshooting/errors/) for specific messages.
247121

248-
1. Run the compiler with verbose output:
249-
250-
```bash
251-
gh aw compile my-workflow --verbose
252-
```
253-
254-
2. Run the fixer for auto-correctable issues:
255-
256-
```bash
257-
gh aw fix --write
258-
```
259-
260-
3. Validate without compiling:
261-
262-
```bash
263-
gh aw compile --validate
264-
```
265-
266-
4. See [Error Reference](/gh-aw/troubleshooting/errors/) for specific error messages
122+
```bash
123+
gh aw compile my-workflow --verbose
124+
gh aw fix --write
125+
gh aw compile --validate
126+
```
267127

268128
## Advanced Debugging
269129

270130
### Enable Debug Logging
271131

272-
The `DEBUG` environment variable enables detailed internal logging for any `gh aw` command:
132+
`DEBUG` enables detailed internal logging for any `gh aw` command. Output goes to `stderr` — capture it with `2>&1 | tee debug.log`.
273133

274134
```bash
275-
# All debug logs
276-
DEBUG=* gh aw compile my-workflow
277-
278-
# CLI-specific logs
279-
DEBUG=cli:* gh aw audit 12345678
280-
281-
# Workflow compilation logs
282-
DEBUG=workflow:* gh aw compile my-workflow
283-
284-
# Multiple packages
285-
DEBUG=workflow:*,cli:* gh aw compile my-workflow
135+
DEBUG=* gh aw compile my-workflow # all logs
136+
DEBUG=cli:* gh aw audit 12345678 # CLI-specific
137+
DEBUG=workflow:*,cli:* gh aw compile # multiple packages
286138
```
287139

288-
> [!TIP]
289-
> Debug output goes to `stderr`. Capture it with `2>&1 | tee debug.log`.
290-
291140
### Enable GitHub Actions Debug Logging
292141

293-
Set the `ACTIONS_STEP_DEBUG` secret to `true` in your repository to enable verbose step-level logging in GitHub Actions:
294-
295-
1. Go to **Settings → Secrets and variables → Actions**
296-
2. Add a secret: `ACTIONS_STEP_DEBUG` = `true`
297-
3. Re-run the workflow
298-
299-
This produces much more detailed logs in the Actions UI.
142+
Add an `ACTIONS_STEP_DEBUG` repository secret set to `true` (**Settings → Secrets and variables → Actions**), then re-run the workflow for verbose step-level logging in the Actions UI.
300143

301144
### Inspecting Firewall Logs
302145

303-
Download the workflow run artifacts and look for `sandbox/firewall/logs/access.log`. Each line shows whether a domain was allowed (`TCP_TUNNEL`) or blocked (`DENIED`):
146+
Workflow run artifacts include `sandbox/firewall/logs/access.log`. Each line shows allowed (`TCP_TUNNEL`) or blocked (`DENIED`) traffic:
304147

305148
```text
306149
TCP_TUNNEL/200 api.github.com:443
307150
DENIED CONNECT blocked-domain.com:443
308151
```
309152

310-
You can also use the CLI:
311-
312-
```bash
313-
gh aw logs my-workflow --firewall
314-
gh aw audit <run-id> # Includes firewall analysis
315-
```
153+
Or use the CLI: `gh aw logs my-workflow --firewall`, or `gh aw audit <run-id>` for combined firewall analysis.
316154

317155
### Inspecting Artifacts
318156

319157
Workflow runs produce several artifacts useful for debugging:
320158

321159
| Artifact | Location | Contents |
322160
|----------|----------|----------|
323-
| `prompt.txt` | `/tmp/gh-aw/aw-prompts/` | The full prompt sent to the AI agent |
161+
| `prompt.txt` | `/tmp/gh-aw/aw-prompts/` | Full prompt sent to the AI agent |
324162
| `agent_output.json` | `/tmp/gh-aw/safeoutputs/` | Structured safe-output data |
325163
| `agent-stdio.log` | `/tmp/gh-aw/` | Raw agent stdin/stdout log |
326164
| `firewall-logs/` | `/tmp/gh-aw/firewall-logs/` | Network access logs |
327165

328-
Download artifacts from the GitHub Actions run page or via the CLI:
329-
330-
```bash
331-
gh run download <run-id> --repo OWNER/REPO
332-
```
166+
Download from the Actions run page or `gh run download <run-id> --repo OWNER/REPO`.
333167

334168
### Recompiling for a Quick Fix
335169

336-
If you've identified the issue and made a change to the `.md` file, recompile and push:
170+
After editing the `.md` file, recompile, commit both files, and push:
337171

338172
```bash
339173
gh aw compile my-workflow

0 commit comments

Comments
 (0)