[aw-failures] [aw] Daily Compiler Threat Spec Optimizer fails 3 weeks running — strict bash allowlist denies sed/awk/read, agent loops 34min i [Content truncated due to length]

[github-actions]

Problem statement

Fix the bash allowlist in daily-compiler-threat-spec-optimizer.md — it is starving the agent and has broken the workflow for 3 consecutive weekly runs.

Every scheduled run hits numerous permission-denied bash errors, spins in a single 34-minute turn, produces 0 writes, and the agent job exits failure.

Affected workflow and run IDs

Run	Date	Turns	Duration	Signature
§27930026536	2026-06-22	1	34.3m	permission denied
§27524446910	2026-06-15	1	34.1m	permission denied
§27116382253	2026-06-08	1	34.5m	permission denied

Last green run: §26735555304 (2026-06-01, 5 turns).

Probable root cause

The workflow sets strict: true with a narrow bash allowlist:

tools:
  bash:
  - git ls-files pkg/workflow/*.go
  - git ls-files pkg/parser/*.go
  - cat specs/compiler-threat-detection-spec.md
  - git log --since="2 days ago" --oneline -- pkg/workflow pkg/parser actions/setup/js
  - git diff -- pkg/workflow pkg/parser actions/setup/js
  - go test -v ./pkg/workflow/...

The agent needs to inspect specific line ranges of the spec and broader git history, so it issues commands that are not on the allowlist and are all denied under strict: true:

• read(/home/runner/work/gh-aw/gh-aw)
• git log --oneline -20 --no-pager (differs from the allowed --since="2 days ago" form)
• sed -n '240,275p' specs/compiler-threat-detection-spec.md
• awk 'NR>=240 && NR<=275' specs/compiler-threat-detection-spec.md

With only cat permitted for the spec, the agent has no way to read line ranges; it retries variants, burns the full 34-minute budget in one turn, then errors. audit classifies this as missing tool/permission: numerous permission denied errors detected. audit-diff vs the last green baseline shows 53 bash calls in the failing run, turns 5→1.

Proposed remediation

In .github/workflows/daily-compiler-threat-spec-optimizer.md, widen the bash allowlist to the read commands the agent actually uses, then recompile the lock. Options (pick one):

1. Add explicit read tools: sed, head, tail, awk scoped to specs/, plus broader git log/git diff -- specs pkg/workflow pkg/parser.
2. Or grant read-only file/git inspection (e.g. git log:*, git diff:*, sed:*, head:*, tail:*) given permissions: contents: read.
3. Or tighten the prompt so the agent only uses the already-allowed cat specs/... (less robust).

Recompile: make recompile (or the repo's lock-generation step) so daily-compiler-threat-spec-optimizer.lock.yml is regenerated.

Success criteria / verification

• Next weekly run (or a workflow_dispatch) completes with >1 turn and 0 permission-denied events in audit.
• agent job conclusion is success; the workflow either opens a [compiler-threat-spec] PR or makes a clean no-op.
• audit no longer reports missing tool/permission for the run.

Filed by 6h Failure Investigator. Parent: #39883.
Related to #39883

Generated by 🔍 [aw] Failure Investigator (6h) · 253.8 AIC · ⊞ 4.9K · ◷

• expires on Jun 29, 2026, 12:58 AM UTC-08:00