Skip to content

ci/ai: check out the failure SHA before the /investigate agent runs#172037

Merged
rickystewart merged 1 commit into
cockroachdb:masterfrom
rickystewart:ricky/xxypskqzqwrl
Jun 26, 2026
Merged

ci/ai: check out the failure SHA before the /investigate agent runs#172037
rickystewart merged 1 commit into
cockroachdb:masterfrom
rickystewart:ricky/xxypskqzqwrl

Conversation

@rickystewart

Copy link
Copy Markdown
Contributor

The /investigate agent could not check out the failure commit. Its git checkout <sha> failed with "not our ref", and it fell back to analyzing the default-branch tip -- the persistent problem reported for the workflow. Prior fixes (the checkout-sha helper, then a git wrapper that retried via snapshot-fetch) assumed GitHub's promisor rejects object-level fetches for commits off the default branch. That was a misdiagnosis: those failures were all observed inside the agent step, where the credentials were already broken.

The real cause is in the action that runs the agent: in agent mode it calls configureGitAuth during prepare, which removes the auth header actions/checkout installed for CODE_REPO and repoints origin at the workflow repo using the default GITHUB_TOKEN. By the time the agent runs, origin no longer points at CODE_REPO and the credential is gone, so any fetch the agent attempts -- including the lazy blob fetch a checkout triggers -- hits the wrong repository and fails.

Stop relying on the agent's git for this. Resolve and check out the failure SHA in a dedicated workflow step that runs while the actions/checkout credentials are still active, then pass the SHA to the agent and tell it the tree is already checked out. The SHA is taken from an explicit /investigate <sha> trigger, otherwise the most recent failure linked in the issue. On any failure the worktree is left at the default-branch tip and the agent emits the existing warning.

This lets the git wrapper be removed (snapshot-fetch and checkout-sha remain, now used by the workflow step). It also keeps INVESTIGATE_PAT away from the agent: configureGitAuth still strips it before the agent runs, so the token is never exposed to it.

Epic: none
Release note: none

The /investigate agent could not check out the failure commit. Its
`git checkout <sha>` failed with "not our ref", and it fell back to
analyzing the default-branch tip -- the persistent problem reported for
the workflow. Prior fixes (the checkout-sha helper, then a git wrapper
that retried via snapshot-fetch) assumed GitHub's promisor rejects
object-level fetches for commits off the default branch. That was a
misdiagnosis: those failures were all observed inside the agent step,
where the credentials were already broken.

The real cause is in the action that runs the agent: in agent mode it
calls configureGitAuth during prepare, which removes the auth header
actions/checkout installed for CODE_REPO and repoints origin at the
workflow repo using the default GITHUB_TOKEN. By the time the agent
runs, origin no longer points at CODE_REPO and the credential is gone,
so any fetch the agent attempts -- including the lazy blob fetch a
checkout triggers -- hits the wrong repository and fails.

Stop relying on the agent's git for this. Resolve and check out the
failure SHA in a dedicated workflow step that runs while the
actions/checkout credentials are still active, then pass the SHA to the
agent and tell it the tree is already checked out. The SHA is taken
from an explicit `/investigate <sha>` trigger, otherwise the most
recent failure linked in the issue. On any failure the worktree is left
at the default-branch tip and the agent emits the existing warning.

This lets the git wrapper be removed (snapshot-fetch and checkout-sha
remain, now used by the workflow step). It also keeps INVESTIGATE_PAT
away from the agent: configureGitAuth still strips it before the agent
runs, so the token is never exposed to it.

Epic: none
Release note: none
@rickystewart rickystewart requested a review from a team as a code owner June 26, 2026 19:23
@rickystewart rickystewart merged commit dd111ac into cockroachdb:master Jun 26, 2026
21 of 22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants