You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Design Decision Gate workflow fails on complex PRs with error_max_turns — the agent hits the 12-turn limit before it can post a PR comment, even though it successfully writes and pushes a draft ADR to the PR branch.
Two compounding issues cause this:
The agent calls bash safeoutputs add_comment which is permission-denied (not pre-authorized in the DDG workflow); only the MCP tool path is available
A pre-step file /tmp/gh-aw/agent/adr-prefetch-summary.json is missing, causing the agent to spend extra turns on analysis that should be pre-computed
Complex PRs (docs changes, large diffs) need 12–13 turns vs 4–5 for simple fix PRs, leaving no turn budget for the comment step
Successful DDG runs in same 6h window: §25197472599 (4 turns, success), §25197449592 (5 turns, success) — simple fix PRs complete within budget.
Evidence
From agent-stdio.log (run 25196318154):
{"type":"result","subtype":"error_max_turns","is_error":true,"num_turns":13,
"terminal_reason":"max_turns","errors":["Reached maximum number of turns (12)"]}
Permission denials recorded in session:
bash safeoutputs add_comment --body "..." — not pre-authorized
The MCP push_to_pull_request_branch tool succeeded twice — the ADR draft was committed to the branch. Only the PR comment is missing.
Note: This is distinct from the GitHub MCP connection-drop failures tracked in the existing DDG sub-issue. Here the agent exits cleanly via max_turns; the MCP "drop" messages appear only during post-session cleanup, not mid-session.
Root Cause
The DDG prompt instructs the agent to use bash safeoutputs add_comment for PR comments, but this bash invocation is not pre-authorized in the DDG workflow's allowed command list. The MCP add_comment tool is the correct path and doesn't require bash pre-authorization. Additionally, adr-prefetch-summary.json appears to be a pre-step artifact that is no longer being generated, costing extra analysis turns.
Proposed Remediation
Update DDG prompt: Replace bash safeoutputs add_comment with the MCP add_comment tool call — this is the approved safe-output path
Restore pre-step: Re-enable generation of /tmp/gh-aw/agent/adr-prefetch-summary.json in the DDG pre-activation step, reducing analysis turns for complex PRs
Fallback: If steps 1+2 are insufficient, raise the DDG max-turns limit from 12 to 15
Success Criteria
DDG completes on complex PRs posting both the ADR draft push to branch and a PR review comment. error_max_turns not reported. Run duration stays under 10 minutes.
Problem
The Design Decision Gate workflow fails on complex PRs with
error_max_turns— the agent hits the 12-turn limit before it can post a PR comment, even though it successfully writes and pushes a draft ADR to the PR branch.Two compounding issues cause this:
bash safeoutputs add_commentwhich is permission-denied (not pre-authorized in the DDG workflow); only the MCP tool path is available/tmp/gh-aw/agent/adr-prefetch-summary.jsonis missing, causing the agent to spend extra turns on analysis that should be pre-computedAffected Runs
copilot/fix-workflow-name-error(13 turns, 6.9m)copilot/docs-copilot-provider-variables(13 turns, 6.7m)Successful DDG runs in same 6h window: §25197472599 (4 turns, success), §25197449592 (5 turns, success) — simple fix PRs complete within budget.
Evidence
From agent-stdio.log (run 25196318154):
{"type":"result","subtype":"error_max_turns","is_error":true,"num_turns":13, "terminal_reason":"max_turns","errors":["Reached maximum number of turns (12)"]}Permission denials recorded in session:
bash safeoutputs add_comment --body "..."— not pre-authorizedbash cat /tmp/gh-aw/agent/adr-prefetch-summary.json— pre-step file absentThe MCP
push_to_pull_request_branchtool succeeded twice — the ADR draft was committed to the branch. Only the PR comment is missing.Root Cause
The DDG prompt instructs the agent to use
bash safeoutputs add_commentfor PR comments, but this bash invocation is not pre-authorized in the DDG workflow's allowed command list. The MCPadd_commenttool is the correct path and doesn't require bash pre-authorization. Additionally,adr-prefetch-summary.jsonappears to be a pre-step artifact that is no longer being generated, costing extra analysis turns.Proposed Remediation
bash safeoutputs add_commentwith the MCPadd_commenttool call — this is the approved safe-output path/tmp/gh-aw/agent/adr-prefetch-summary.jsonin the DDG pre-activation step, reducing analysis turns for complex PRsSuccess Criteria
DDG completes on complex PRs posting both the ADR draft push to branch and a PR review comment.
error_max_turnsnot reported. Run duration stays under 10 minutes.Parent: #29232
References:
Note
🔒 Integrity filter blocked 3 items
The following items were blocked because they don't meet the GitHub integrity level.
list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".To allow these resources, lower
min-integrityin your GitHub frontmatter: