You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -12,103 +12,38 @@ This guide shows you how to debug agentic workflow failures on **github.com** us
12
12
13
13
## Debugging with the Copilot CLI
14
14
15
-
The Copilot CLI can audit logs, trace failures, and suggest fixes interactively. This is the recommended first step for any workflow failure.
15
+
The Copilot CLI is the recommended first step: it audits logs, traces failures, and suggests fixes interactively.
16
16
17
-
### Step 1: Launch the Copilot CLI
18
-
19
-
```bash
20
-
copilot
21
-
```
22
-
23
-
### Step 2: Load the Agentic Workflows Agent
24
-
25
-
Once inside the Copilot CLI, run:
26
-
27
-
```text
28
-
/agent
29
-
```
30
-
31
-
Select **agentic-workflows** from the list. This gives Copilot access to the `gh aw audit`, `gh aw logs`, and other debugging tools.
32
-
33
-
### Step 3: Ask Copilot to Debug the Failure
34
-
35
-
Paste the failing run URL and ask Copilot to investigate:
17
+
Launch `copilot`, run `/agent` and select **agentic-workflows** to enable `gh aw audit`, `gh aw logs`, and related debugging tools. Then paste the failing run URL:
36
18
37
19
```text
38
20
Debug this workflow run: https://github.com/OWNER/REPO/actions/runs/RUN_ID
39
21
```
40
22
41
-
Copilot will:
23
+
Copilot downloads the logs, identifies the root cause (missing tools, permission errors, network blocks), and suggests fixes or opens a PR. Follow-up questions like "What domains were blocked?" or "Why did the MCP server fail?" work too.
42
24
43
-
- Download and audit the run logs
44
-
- Identify the root cause (missing tools, permission errors, network blocks, etc.)
45
-
- Suggest targeted fixes or open a pull request with the fix
For coding agents that don't have the agentic-workflows agent pre-configured, use the standalone debug prompt:
66
-
67
-
```text
68
-
Debug this workflow run using https://raw.githubusercontent.com/github/gh-aw/main/debug.md
69
-
70
-
The failed workflow run is at https://github.com/OWNER/REPO/actions/runs/RUN_ID
71
-
```
72
-
73
-
The agent will install `gh aw`, analyze logs, identify the root cause, and suggest a fix.
33
+
The failed workflow run is at https://github.com/OWNER/REPO/actions/runs/RUN_ID
34
+
```
74
35
75
36
## Debugging with CLI Commands
76
37
77
38
### Auditing a Specific Run
78
39
79
-
`gh aw audit`gives a comprehensive breakdown of a single run — overview, metrics, tool usage, MCP failures, firewall analysis, behavior fingerprint, and artifacts:
40
+
`gh aw audit`breaks down a single run — failure analysis and root cause, behavior fingerprint (network/tool/cost profile), tool usage, MCP server status, firewall analysis, token/cost metrics, and safe-outputs. Accepts a run ID, run URL, job URL (extracts first failing step), or step URL.
80
41
81
42
```bash
82
-
# By run ID
83
43
gh aw audit 12345678
84
-
85
-
# By full URL
86
-
gh aw audit https://github.com/OWNER/REPO/actions/runs/12345678
87
-
88
-
# By job URL (extracts first failing step)
89
-
gh aw audit https://github.com/OWNER/REPO/actions/runs/123/job/456
90
-
91
-
# By step URL (extracts a specific step)
92
44
gh aw audit https://github.com/OWNER/REPO/actions/runs/123/job/456#step:7:1
93
-
94
-
# Parse to markdown for sharing
95
-
gh aw audit 12345678 --parse
96
-
```
97
-
98
-
Audit output includes:
99
-
100
-
-**Failure analysis** with error summary and root cause
101
-
-**Behavior fingerprint** — multi-dimensional characterization of the run's network, tool, and cost profile
102
-
-**Tool usage** — which tools were called, which failed, and why
103
-
-**MCP server status** — connection failures, timeout errors, and per-server health
104
-
-**Firewall analysis** — blocked domains, allowed traffic, and policy attribution
105
-
-**Token/cost metrics** — per-run inference spend and token usage
106
-
-**Safe-outputs** — structured outputs the agent produced
107
-
108
-
To compare behavior between two runs and detect regressions across firewall, MCP, and metrics dimensions, pass multiple run IDs directly to `audit`:
109
-
110
-
```bash
111
-
gh aw audit 12345678 12345679
45
+
gh aw audit 12345678 --parse # parse to markdown
46
+
gh aw audit 12345678 12345679 # compare two runs
112
47
gh aw audit 12345678 12345679 --format markdown
113
48
```
114
49
@@ -123,217 +58,116 @@ See [Audit Commands](/gh-aw/reference/audit/) for complete flag documentation.
123
58
124
59
### Analyzing Workflow Logs
125
60
126
-
`gh aw logs` downloads and analyzes logs across multiple runs with tool usage, network patterns, errors, and warnings:
61
+
`gh aw logs` downloads and analyzes logs across multiple runs (tool usage, network patterns, errors). Results are cached for 10–100× speedup on later runs.
127
62
128
63
```bash
129
-
# Download logs for a workflow
130
64
gh aw logs my-workflow
131
-
132
-
# Filter by count and date range
133
-
gh aw logs my-workflow -c 10 --start-date -1w
134
-
135
-
# Include firewall analysis
136
-
gh aw logs my-workflow --firewall
137
-
138
-
# Include safe-output details
139
-
gh aw logs my-workflow --safe-output
140
-
141
-
# JSON output for scripting
142
-
gh aw logs my-workflow --json
65
+
gh aw logs my-workflow -c 10 --start-date -1w # filter by count and date
66
+
gh aw logs my-workflow --firewall # include firewall analysis
67
+
gh aw logs my-workflow --safe-output # include safe-output details
68
+
gh aw logs my-workflow --json # JSON for scripting
143
69
```
144
70
145
-
Results are cached locally for 10–100× speedup on subsequent runs.
146
-
147
71
### Checking Workflow Health
148
72
149
-
`gh aw health` gives a quick overview of workflow status across all workflows in a repository:
150
-
151
-
```bash
152
-
gh aw health
153
-
```
73
+
`gh aw health` reports workflow status across all workflows in a repository.
154
74
155
75
### Inspecting MCP Configuration
156
76
157
77
If you suspect MCP server issues, inspect the compiled configuration:
158
78
159
79
```bash
160
-
# List all workflows with MCP servers
161
-
gh aw mcp list
162
-
163
-
# Inspect MCP servers for a specific workflow
164
-
gh aw mcp inspect my-workflow
165
-
166
-
# Open the web-based MCP inspector
167
-
gh aw mcp inspect my-workflow --inspector
80
+
gh aw mcp list # list workflows with MCP servers
81
+
gh aw mcp inspect my-workflow # inspect a workflow
82
+
gh aw mcp inspect my-workflow --inspector # web-based inspector
168
83
```
169
84
170
85
## Common Errors
171
86
172
87
### "Authentication failed"
173
88
174
-
```text
175
-
Error: Authentication failed
176
-
Your GitHub token may be invalid, expired, or lacking the required permissions.
177
-
```
178
-
179
-
**Cause**: The Copilot token is missing, expired, or lacks required permissions.
180
-
181
-
**Fix**:
182
-
183
-
1. Verify you have an active Copilot subscription
184
-
2. Check that the token has the **Copilot Requests** permission (for fine-grained PATs)
185
-
3. If using a custom `COPILOT_GITHUB_TOKEN`, verify it's valid:
186
-
187
-
```bash
188
-
gh auth status
189
-
```
190
-
191
-
4. See [Authentication Reference](/gh-aw/reference/auth/) for token setup details
89
+
The Copilot token is missing, expired, or lacks the required permissions. Confirm you have an active Copilot subscription, that the token has **Copilot Requests** permission (fine-grained PATs), and that `gh auth status` reports it valid. See [Authentication Reference](/gh-aw/reference/auth/).
192
90
193
91
### "Tool not found" or Missing Tool Calls
194
92
195
-
**Cause**: The workflow references a tool that isn't configured or the MCP server failed to connect.
196
-
197
-
**Fix**:
198
-
199
-
1. Run `gh aw mcp inspect my-workflow` to verify tool configuration
200
-
2. Check that the MCP server version is compatible
201
-
3. Ensure `tools:` section in frontmatter includes the required tool
202
-
4. Run `gh aw audit <run-id>` to see which tools were available vs. requested
93
+
The workflow references a tool that isn't configured or the MCP server failed to connect. Verify the `tools:` section in frontmatter, check the MCP server version, then run `gh aw mcp inspect my-workflow` and `gh aw audit <run-id>` to compare available vs. requested tools.
203
94
204
95
### Network / Firewall Blocks
205
96
206
97
```text
207
98
DENIED CONNECT registry.npmjs.org:443
208
99
```
209
100
210
-
**Cause**: The agent tried to reach a domain not in the firewall allow-list.
211
-
212
-
**Fix**: Add the domain to the `network.allowed` list in your workflow frontmatter:
101
+
The agent reached a domain outside the firewall allow-list. Add it explicitly, or use an ecosystem shorthand:
213
102
214
103
```aw
215
104
network:
216
105
allowed:
217
106
- defaults
107
+
- node # npm, yarn, pnpm registries
108
+
- python # PyPI, conda registries
218
109
- registry.npmjs.org
219
110
```
220
111
221
-
Or use an ecosystem shorthand:
222
-
223
-
```aw
224
-
network:
225
-
allowed:
226
-
- defaults
227
-
- node # Adds npm, yarn, pnpm registries
228
-
- python # Adds PyPI, conda registries
229
-
```
230
-
231
112
See [Network Configuration](/gh-aw/guides/network-configuration/) for common domain configurations.
232
113
233
114
### Safe-Outputs Not Creating Issues / Comments
234
115
235
-
**Cause**: The safe-outputs job failed, the agent didn't produce the expected output, or permissions are missing.
236
-
237
-
**Fix**:
238
-
239
-
1. Run `gh aw audit <run-id>` and check the safe-outputs section
240
-
2. See [Safe Outputs Reference](/gh-aw/reference/safe-outputs/) for configuration details
116
+
The safe-outputs job failed, the agent didn't produce the expected output, or permissions are missing. Inspect the safe-outputs section in `gh aw audit <run-id>` and review the [Safe Outputs Reference](/gh-aw/reference/safe-outputs/).
241
117
242
118
### Compilation Errors
243
119
244
-
**Cause**: The workflow frontmatter has schema validation errors or unsupported fields.
245
-
246
-
**Fix**:
120
+
The frontmatter has schema validation errors or unsupported fields. Use `--verbose` to diagnose, `gh aw fix --write` to auto-correct, and `--validate` to check without writing the lock file. See [Error Reference](/gh-aw/troubleshooting/errors/) for specific messages.
247
121
248
-
1. Run the compiler with verbose output:
249
-
250
-
```bash
251
-
gh aw compile my-workflow --verbose
252
-
```
253
-
254
-
2. Run the fixer for auto-correctable issues:
255
-
256
-
```bash
257
-
gh aw fix --write
258
-
```
259
-
260
-
3. Validate without compiling:
261
-
262
-
```bash
263
-
gh aw compile --validate
264
-
```
265
-
266
-
4. See [Error Reference](/gh-aw/troubleshooting/errors/) for specific error messages
122
+
```bash
123
+
gh aw compile my-workflow --verbose
124
+
gh aw fix --write
125
+
gh aw compile --validate
126
+
```
267
127
268
128
## Advanced Debugging
269
129
270
130
### Enable Debug Logging
271
131
272
-
The `DEBUG`environment variable enables detailed internal logging for any `gh aw` command:
132
+
`DEBUG` enables detailed internal logging for any `gh aw` command. Output goes to `stderr` — capture it with `2>&1 | tee debug.log`.
273
133
274
134
```bash
275
-
# All debug logs
276
-
DEBUG=* gh aw compile my-workflow
277
-
278
-
# CLI-specific logs
279
-
DEBUG=cli:* gh aw audit 12345678
280
-
281
-
# Workflow compilation logs
282
-
DEBUG=workflow:* gh aw compile my-workflow
283
-
284
-
# Multiple packages
285
-
DEBUG=workflow:*,cli:* gh aw compile my-workflow
135
+
DEBUG=* gh aw compile my-workflow # all logs
136
+
DEBUG=cli:* gh aw audit 12345678 # CLI-specific
137
+
DEBUG=workflow:*,cli:* gh aw compile # multiple packages
286
138
```
287
139
288
-
> [!TIP]
289
-
> Debug output goes to `stderr`. Capture it with `2>&1 | tee debug.log`.
290
-
291
140
### Enable GitHub Actions Debug Logging
292
141
293
-
Set the `ACTIONS_STEP_DEBUG` secret to `true` in your repository to enable verbose step-level logging in GitHub Actions:
294
-
295
-
1. Go to **Settings → Secrets and variables → Actions**
296
-
2. Add a secret: `ACTIONS_STEP_DEBUG` = `true`
297
-
3. Re-run the workflow
298
-
299
-
This produces much more detailed logs in the Actions UI.
142
+
Add an `ACTIONS_STEP_DEBUG` repository secret set to `true` (**Settings → Secrets and variables → Actions**), then re-run the workflow for verbose step-level logging in the Actions UI.
300
143
301
144
### Inspecting Firewall Logs
302
145
303
-
Download the workflow run artifacts and look for `sandbox/firewall/logs/access.log`. Each line shows whether a domain was allowed (`TCP_TUNNEL`) or blocked (`DENIED`):
146
+
Workflow run artifacts include `sandbox/firewall/logs/access.log`. Each line shows allowed (`TCP_TUNNEL`) or blocked (`DENIED`) traffic:
304
147
305
148
```text
306
149
TCP_TUNNEL/200 api.github.com:443
307
150
DENIED CONNECT blocked-domain.com:443
308
151
```
309
152
310
-
You can also use the CLI:
311
-
312
-
```bash
313
-
gh aw logs my-workflow --firewall
314
-
gh aw audit <run-id># Includes firewall analysis
315
-
```
153
+
Or use the CLI: `gh aw logs my-workflow --firewall`, or `gh aw audit <run-id>` for combined firewall analysis.
316
154
317
155
### Inspecting Artifacts
318
156
319
157
Workflow runs produce several artifacts useful for debugging:
320
158
321
159
| Artifact | Location | Contents |
322
160
|----------|----------|----------|
323
-
|`prompt.txt`|`/tmp/gh-aw/aw-prompts/`|The full prompt sent to the AI agent |
161
+
|`prompt.txt`|`/tmp/gh-aw/aw-prompts/`|Full prompt sent to the AI agent |
324
162
|`agent_output.json`|`/tmp/gh-aw/safeoutputs/`| Structured safe-output data |
325
163
|`agent-stdio.log`|`/tmp/gh-aw/`| Raw agent stdin/stdout log |
0 commit comments