Labsco
github logo

debugging-workflows

✓ Official104

by github · part of github/gh-aw-firewall

Debug GitHub Actions workflows by downloading logs, analyzing summaries, and understanding how agentic workflows and the AWF firewall work together.

🔥🔥✓ VerifiedFreeAdvanced setup
🔒 Repo-maintenance skill. It exists to help maintain github/gh-aw-firewall itself — it's only useful if you contribute code to that project.

Debug GitHub Actions workflows by downloading logs, analyzing summaries, and understanding how agentic workflows and the AWF firewall work together.

Inspect the full instructions your agent will receiveExpand

This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.

by github

Debug GitHub Actions workflows by downloading logs, analyzing summaries, and understanding how agentic workflows and the AWF firewall work together. npx skills add https://github.com/github/gh-aw-firewall --skill debugging-workflows Download ZIPGitHub104

Debugging Workflows Skill

Use this skill when you need to debug GitHub Actions workflows, download workflow logs or summaries, or understand how agentic workflows and the AWF firewall work together.

GitHub CLI Commands

The gh CLI is essential for debugging workflows. Here are the most useful commands:

List Workflow Runs

Copy & paste — that's it
# List recent workflow runs
gh run list --limit 10

# List runs for a specific workflow
gh run list --workflow test-integration.yml --limit 10

# List only failed runs
gh run list --status failure --limit 10

# List runs in JSON format for parsing
gh run list --json databaseId,name,status,conclusion,createdAt --limit 10

View Workflow Run Details

Copy & paste — that's it
# View a specific run
gh run view 

# View run with job details
gh run view --verbose

# View run as JSON
gh run view --json jobs,conclusion,status

Download Run Logs

Copy & paste — that's it
# Download all logs for a run
gh run download 

# Download specific artifact
gh run download --name 

# Download to specific directory
gh run download --dir ./logs

Watch a Running Workflow

Copy & paste — that's it
# Watch a workflow run in real-time
gh run watch 

# Watch with exit code (useful for CI)
gh run watch --exit-status

Re-run Failed Jobs

Copy & paste — that's it
# Re-run failed jobs only
gh run rerun --failed

# Re-run all jobs
gh run rerun 

Understanding Agentic Workflows

What are Agentic Workflows?

Agentic workflows are GitHub Actions workflows that use AI agents (like GitHub Copilot or Claude) to perform tasks. They are defined using markdown + YAML frontmatter format in .github/workflows/*.md files and compiled to GitHub Actions YAML (.lock.yml files).

Key Components

Workflow File Format: .github/workflows/<name>.md

  • YAML frontmatter for configuration

  • Markdown body for AI instructions

  • Compiles to .github/workflows/<name>.lock.yml

Triggers (on: field):

  • Standard GitHub events: issues, pull_request, push, schedule

  • Command triggers: /mention in issues/comments

  • workflow_dispatch for manual triggers

Safe Outputs: Controlled way for AI to create GitHub entities

  • create-issue: - Create GitHub issues

  • create-pull-request: - Create PRs with git patches

  • add-comment: - Add comments to issues/PRs

  • add-labels: - Add labels to issues/PRs

  • create-discussion: - Create GitHub discussions

Tools Configuration (tools: field):

  • github: - GitHub API tools

  • agentic-workflows: - Workflow introspection tools

  • edit: - File editing tools

  • web-fetch: / web-search: - Web access tools

  • bash: - Shell command tools

Compiling Workflows

Copy & paste — that's it
# Compile all workflows
gh aw compile

# Compile a specific workflow
gh aw compile 

# Compile with strict security checks
gh aw compile --strict

Debugging Agentic Workflows

Copy & paste — that's it
# View status of all agentic workflows
gh aw status

# Download and analyze logs from previous runs
gh aw logs --json

# Audit a specific run for issues
gh aw audit --json

Common Issues

  • Missing Tool Calls: Check missing_tools in audit output

  • Safe Output Failures: Review safe_outputs.jsonl artifact

  • Permission Issues: Verify permissions: block in frontmatter

  • Network Blocked: Check network: configuration for allowed domains

Understanding the AWF Firewall

What is AWF?

AWF (Agent Workflow Firewall) is a tool that provides L7 (HTTP/HTTPS) egress control for GitHub Copilot CLI and other agents. It restricts network access to a whitelist of approved domains using Squid proxy and Docker containers.

Architecture Overview

Copy & paste — that's it
┌─────────────────────────────────────────┐
│ Host (GitHub Actions Runner / Local) │
│ │
│ ┌────────────────────────────────────┐ │
│ │ Firewall CLI (awf) │ │
│ │ - Parse arguments │ │
│ │ - Generate Squid config │ │
│ │ - Start Docker Compose │ │
│ └────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────┐ │
│ │ Docker Compose │ │
│ │ ┌────────────────────────────┐ │ │
│ │ │ Squid Proxy Container │ │ │
│ │ │ - Domain ACL filtering │ │ │
│ │ │ - HTTP/HTTPS proxy │ │ │
│ │ └────────────────────────────┘ │ │
│ │ ▲ │ │
│ │ ┌────────┼───────────────────┐ │ │
│ │ │ Agent Container │ │ │
│ │ │ - Full filesystem access │ │ │
│ │ │ - iptables redirect │ │ │
│ │ │ - All traffic → Squid │ │ │
│ │ └────────────────────────────┘ │ │
│ └──────────────────────────────────┘ │
└─────────────────────────────────────────┘

Key Containers

awf-squid - Squid proxy container (IP: 172.30.0.10)

  • Filters HTTP/HTTPS traffic based on domain allowlist

  • Logs all traffic decisions

awf-agent - Agent execution container (IP: 172.30.0.20)

  • Runs the actual command/agent

  • Has iptables rules to redirect traffic to Squid

  • Full filesystem access via /host mount

Traffic Flow

  • Command runs in agent container

  • All HTTP/HTTPS traffic → iptables DNAT → Squid proxy

  • Squid checks domain against allowlist

  • Allowed → forward to destination

  • Blocked → return 403 Forbidden

Squid Log Analysis

Copy & paste — that's it
# View Squid access log (shows traffic decisions)
docker exec awf-squid cat /var/log/squid/access.log

# Find blocked domains
docker exec awf-squid grep "TCP_DENIED" /var/log/squid/access.log | awk '{print $3}' | sort -u

# Count blocked by domain
docker exec awf-squid grep "TCP_DENIED" /var/log/squid/access.log | awk '{print $3}' | sort | uniq -c | sort -rn

# Real-time blocked traffic
docker exec awf-squid tail -f /var/log/squid/access.log | grep --line-buffered TCP_DENIED

Squid Decision Codes

  • TCP_TUNNEL:HIER_DIRECT = ALLOWED (HTTPS)

  • TCP_MISS:HIER_DIRECT = ALLOWED (HTTP)

  • TCP_DENIED:HIER_NONE = BLOCKED

Running Commands Through Firewall

Copy & paste — that's it
# Basic usage
sudo awf --allow-domains github.com 'curl https://api.github.com'

# With debug logging
sudo awf --allow-domains github.com --log-level debug 'your-command'

# Keep containers for inspection
sudo awf --allow-domains github.com --keep-containers 'your-command'

Preserved Logs Locations

With --keep-containers:

  • Squid: /tmp/awf-<timestamp>/squid-logs/access.log

  • Agent: /tmp/awf-<timestamp>/agent-logs/

Normal execution (after cleanup):

  • Squid: /tmp/squid-logs-<timestamp>/access.log

  • Agent: /tmp/awf-agent-logs-<timestamp>/

Copy & paste — that's it
# Find preserved logs
ls -ldt /tmp/awf-* /tmp/squid-logs-* 2>/dev/null | head -5

# View preserved Squid logs
sudo cat $(ls -t /tmp/squid-logs-*/access.log 2>/dev/null | head -1)

Debugging Workflow Failures

Step-by-Step Process

Identify the failing workflow run

Copy & paste — that's it
gh run list --status failure --limit 5

Get run details

Copy & paste — that's it
gh run view --verbose

Download logs

Copy & paste — that's it
gh run download --dir ./logs
# Or use the script:
npx tsx .github/skills/debugging-workflows/download-workflow-logs.ts --run-id 

Analyze the failure

  • Check job logs for error messages

  • Look for timeout issues

  • Check for permission errors

  • Review network-related errors

For agentic workflows, audit the run

Copy & paste — that's it
gh aw audit --json

If firewall-related, check Squid logs

Copy & paste — that's it
# If containers are still running
docker exec awf-squid cat /var/log/squid/access.log

# Or check preserved logs
sudo cat /tmp/squid-logs-*/access.log

Common Failure Patterns

Permission Denied

Copy & paste — that's it
Error: Resource not accessible by integration

Fix: Check permissions: in workflow frontmatter

Domain Blocked

Copy & paste — that's it
curl: (56) Recv failure: Connection reset by peer

Fix: Add domain to --allow-domains or network: configuration

Timeout

Copy & paste — that's it
Error: The operation was canceled.

Fix: Increase timeout-minutes in workflow configuration

Missing Tool

Copy & paste — that's it
Tool 'xyz' not found

Fix: Add tool to tools: configuration in workflow frontmatter

Related Documentation