docs(runner-doctor): add C7 failure mode for DIFC probe on *.ghe.com#5651
Conversation
Add failure mode C7 documenting the DIFC proxy liveness probe issue on data-residency *.ghe.com tenants where diagnosis=unknown or reachable-but-api-error is reported. Updates: - shared/self-hosted-failure-modes.md: C7 row, error-string entry, known unresolved item - self-hosted-runner-doctor.md (workflow): C7 hint and unresolved note - self-hosted-runner-doctor.md (agent): all five proposed changes Closes #5646 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the self-hosted “runner doctor” knowledge base to document a new failure mode (C7) affecting awf-cli-proxy DIFC-proxy liveness probing on GHEC data-residency (*.ghe.com) tenants, including symptom matching, quick lookup, and explicit unresolved-status guidance.
Changes:
- Added failure mode C7 to the Category C failure-mode catalog with symptoms, root cause, mitigation guidance, and citations.
- Added a new error-string quick lookup entry mapping DIFC probe
diagnosis=unknown/reachable-but-api-error (HTTP NNN)on*.ghe.comto C7. - Added C7 to the “Known unresolved items” lists and to the runner-doctor playbook hints/checklist sections, mirrored across the portable agent copy.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/shared/self-hosted-failure-modes.md |
Adds C7 to the shared failure-mode catalog, quick-lookup, and unresolved list. |
.github/workflows/self-hosted-runner-doctor.md |
Adds C7 to the workflow runner-doctor playbook: symptom→mode hint and unresolved-problems section. |
.github/agents/self-hosted-runner-doctor.md |
Mirrors the shared catalog + playbook updates into the portable agent-facing runner-doctor doc. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 0
- Review effort level: Low
|
✅ Smoke Claude passed |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Contribution Check completed successfully! Contribution guidelines review complete for PR #5651: documentation-only changes are clearly described, reference the related issue, and do not require tests under CONTRIBUTING.md. |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
✅ Smoke Gemini completed. All facets verified. 💎 Testing safeoutputs |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
🚀 Security Guard has started processing this pull request |
|
🔌 Smoke Services — All services reachable! ✅ |
|
✅ Build Test Suite completed successfully! |
Smoke Test: Claude Engine Validation
Overall result: PASS
|
🤖 Smoke Test Results
Overall: FAIL — pre-step outputs ( PR: docs(runner-doctor): add C7 failure mode for DIFC probe on *.ghe.com by @lpcox
|
|
Smoke test results for Copilot BYOK (Direct) Mode:
Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) cc @lpcox
|
🔥 Smoke Test: PAT Auth — PR #5651
Overall: PARTIAL — MCP auth confirmed; pre-step outputs were not injected into the workflow prompt. @lpcox — Auth mode: PAT (COPILOT_GITHUB_TOKEN)
|
|
Smoke Test Results: Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw). Overall: PASS
|
Smoke Test
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Smoke Test: Copilot BYOK (Direct) ModeRunning in direct BYOK mode (COPILOT_PROVIDER_API_KEY via api-proxy → api.githubcopilot.com) Test Results
Overall Status: PASS /cc @lpcox
|
🔭 Smoke Test: API Proxy OpenTelemetry Tracing
All 5 scenarios pass. OTEL tracing integration is functioning correctly.
|
Chroot Version Comparison Results
Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments. The
|
|
Smoke test PASSED Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Smoke Test Results — Services Connectivity
Overall: FAIL —
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Summary
Adds failure mode C7 to the runner doctor knowledge base, documenting the DIFC proxy liveness probe issue on data-residency
*.ghe.comtenants.Changes
.github/workflows/shared/self-hosted-failure-modes.mddiagnosis=unknown/reachable-but-api-error.github/workflows/self-hosted-runner-doctor.md.github/agents/self-hosted-runner-doctor.mdContext
On GHEC data-residency (
*.ghe.com) tenants, theawf-cli-proxyDIFC probe fails because the proxy is not enterprise-host-aware. AWF ≥ v0.27.12 provides better diagnostics (reachable-but-api-error (HTTP NNN)+ targeted hint) but the root cause is unresolved in companion projects.Closes #5646